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THE FEDERAL TRADE COMMISSION AND ITS 
SECTION 5 AUTHORITY: PROSECUTOR, 
JUDGE, AND JURY 


Thursday, July 24, 2014 

House of Representatives, 

Committee on Oversight and Government Reform, 

Washington, D.C. 

The committee met, pursuant to call, at 9:37 a.m., in Room 2154, 
Rayburn House Office Building, Hon. Darrell E. Issa [chairman of 
the committee] presiding. 

Present: Representatives Issa, Mica, Turner, Duncan, Jordan, 
Chaffetz, Walberg, Lankford, Gosar, Massie, Collins, Meadows, 
Bentivolio, DeSantis, Cummings, Maloney, Norton, Tierney, Clay, 
Lynch, Connolly, Duckworth, Kelly and Lujan Grisham. 

Staff Present: Jen Barblan, Senior Counsel; Molly Boyl, Deputy 
General Counsel and Parliamentarian; Ashley H. Callen, Deputy 
Chief Counsel for Investigations; Sharon Casey, Senior Assistant 
Clerk; Steve Castor, General Counsel; John Cuaderes, Deputy Staff 
Director; Adam P. Fromm, Director of Member Services and Com- 
mittee Operations; Linda Good, Chief Clerk; Tyler Grimm, Senior 
Professional Staff Member; Christopher Hixon, Chief Counsel for 
Oversight; Mark D. Marin, Deputy Staff Director for Oversight; 
Ashok M. Pinto, Chief Counsel, Investigations; Andrew Shult, Dep- 
uty Digital Director; Rebecca Watkins, Communications Director; 
Jeff Wease, Chief Information Officer; Sang H. Yi, Professional 
Staff Member; Meghan Berroya, Minority Deputy Chief Counsel; 
Courtney Cochran, Minority Press Secretary; Jennifer Hoffman, 
Minority Communications Director; Julia Krieger, Minority New 
Media Press Secretary; Lucinda Lessley, Minority Policy Director; 
Juan McCullum, Minority Clerk; Dave Rapallo, Minority Staff Di- 
rector; and Brandon Reavis, Minority Counsel/Policy Advisor. 

Chairman IsSA. The committee will come to order. Without objec- 
tion, the chair is authorized to declare a recess of the committee 
at any time. Today’s hearing, “The Federal Trade Commission and 
Its Section 5 Authority: Prosecutor, Judge, and Jury.” 

The Oversight Committee mission statement is that we exist to 
secure two fundamental principles. First, Americans have a right 
to know that the money Washington takes from them is well spent. 
And second, Americans deserve an efficient, effective government 
that works for them. Our duty on the Oversight and Government 
Reform Committee is to protect these rights. Our solemn responsi- 
bility is to hold government accountable to taxpayers, because tax- 
payers have a right to know what they get from their government. 
It is our job to work tirelessly, in partnership with citizen watch- 
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dogs, to deliver the facts to the American people and bring genuine 
reform to the Federal bureaucracy. 

With that, I would recognize the ranking member for his opening 
statement. 

Mr. Cummings. Thank you very much, Mr. Chairman. 

Today’s hearing will cover several new issues for this committee. 
First, the Republican briefing memo says that the committee will 
examine, “whether the FTC has the authority to pursue data secu- 
rity enforcement actions under its current Section 5 authority.” In 
Section 5 of the FTC Act, Congress gave the FTC authority to pro- 
tect American consumers, that is our constituents, and ensure that 
their personal, medical, financial, and other information is pro- 
tected from unauthorized disclosure. The FTC has been using this 
authority to ensure that companies who receive this type of con- 
sumer information take appropriate steps to safeguard it. In fact, 
a Federal judge recently upheld this authority and rejected an at- 
tempt to, “carve out a data security exception.” 

Yesterday, Senator Rockefeller, the chairman of the Senate Com- 
merce Committee and an expert on this issue, sent a letter to the 
chairman emphasizing this point. He wrote, “Another apparent 
purpose of your hearing is to express skepticism about the FTC’s 
long-standing and well-established legal authority under Section 5 
of the FTC Act. This skepticism is unfounded, and your public posi- 
tion was recently rejected by a Federal judge in the FTC data secu- 
rity case against Wyndham Corporation.” 

He goes on to say, “Over the past 13 years, the Commission has 
initiated dozens of administrative adjudicatory proceedings in cases 
in Federal court challenging practices that compromised security of 
consumers’ data and that resulted in improper disclosures of per- 
sonal information collected from consumers.” 

According to the Republican memo, today the committee will also 
examine, “recent FTC actions related to data security practices.” 
One of the witnesses testifying today is Michael Daugherty, the 
CEO of a company called LabMD. The FTC has brought an enforce- 
ment action against LabMD, and Mr. Daugherty admits that more 
than 900 files on his billing manager’s computer were accessible for 
public sharing and downloading, which is a major security breach. 

Mr. Daugherty has written a book entitled “The Devil Inside the 
Beltway.” In it, he refers to the FTC as, “terrorists,” He also ac- 
cuses the FTC of engaging in, “psychological warfare” and “tor- 
ture,” and of “administering government chemotherapy.” Of course 
he has a right to his opinion, but this committee should base its 
oversight work on facts rather than the extreme rhetoric of a de- 
fendant in an ongoing enforcement action. 

As part of our investigation, we have also received competing al- 
legations about Tiversa, a data security firm that provided informa- 
tion to the FTC about LabMD’s security breach. Obviously, we all 
agree that the FTC should rely only on evidence it believes to be 
legitimate. If allegations are ultimately verified that Tiversa pro- 
vided intentionally falsified data, that data clearly should not be 
used in any enforcement action. But to date, we have obtained no 
evidence to corroborate these allegations. So they remain just that, 
unconfirmed allegations. 
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Unfortunately, on June 17th, the chairman sent a letter to the 
FTC inspector general alleging coordination and collaboration be- 
tween the FTC and Tiversa, and suggesting that, “the FTC aided 
a company whose business practices allegedly involved dissemi- 
nating false data about the nature of data security breaches.” The 
chairman wrote that, “the FTC appears to have acted on informa- 
tion provided by Tiversa without verifying it in any meaningful 
way.” He also requested that the inspector general examine the ac- 
tions of several specific FTC employees. 

I do not know how the chairman had reached these conclusions 
since the committee has not yet spoken to a single FTC employee. 
The committee just requested documents from the FTC less than 
a week ago, and the committee has obtained no evidence to support 
claims that the FTC officials directed Tiversa employees to fab- 
ricate information. To the contrary, every single current and former 
Tiversa employee interviewed by the committee staff has uniformly 
denied receiving any requests from FTC employees relating to fab- 
ricating information. 

In response to the chairman’s request for an investigation, the 
inspector general has now informed the committee that one of the 
employees named in his letter in fact was, “brought in to assist 
with the LabMD case after Tiversa was no longer involved, and she 
has not been working on the case for the past year.” As I close, so 
it appears that some of the chairman’s information was incorrect. 

I am sure we will hear a lot of allegations today from parties in 
this ongoing litigation. Our job is not to take sides, but rather to 
serve as the neutral overseers and base our conclusions on the 
facts and the evidence. 

The consequences of having personal information compromised 
can be devastating. As the new Republican majority leader Kevin 
McCarthy has said, “Nothing can turn a life upside down more 
quickly than identity theft.” I agree with him. That is why I wrote 
to Chairman Issa in January proposing the committee examine the 
massive data security breach at Target, which may have com- 
promised the personal information of more than 100 million Amer- 
ican consumers. Instead of holding hearings like today’s, which 
seeks to cast doubt on whether the FTC even has the authority to 
protect our constituents, the consumers, the American consumers, 
I hope the committee will turn to constructive efforts to improve 
corporate data security standards across the board. And I thank 
you, Mr. Chairman. 

Chairman IsSA. I thank the ranking member. 

Chairman IssA. Today’s hearing concerns the Federal Trade 
Commission and information this committee has uncovered that 
raises some important questions. As long as I have been chairman, 
and as long as I am chairman, this committee will focus, as its 
name implies. Government Oversight and Reform Committee. It is 
not for us to look first to the private sector. It is not for us to issue 
subpoenas and target private sector for their beliefs, for their prac- 
tices, or for the failures that they certainly are paying a high price 
for, as Target is and should. 

During my tenure, healthcare.gov was launched. Anyone of ordi- 
nary skill could have gone into the Web site, changed a few state- 
ments, a few of the letters in the top of the screen, while looking 
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at their record, and seen somebody else’s record at the launch. On 
a billion-dollar Web design, it was vulnerable to ordinary hacking 
and accidents at the time it was launched. 

The FTC did not sue President Obama or any of the chief infor- 
mation officers responsible for this failure. They did not sue the 
Secretary. They did not even sue the companies who delivered this 
shoddy work. Instead these were systematically, when discovered, 
corrected at taxpayers’ expense. That was the right thing to do. 
When mistakes are made, when vulnerabilities are recognized, it’s 
the responsibility of the entity to do its best to fix them. 

If the Federal Trade Commission was overseeing companies 
whose vulnerabilities are exposed, demanding that they fix it or 
face the consequences, absolutely we would say they were doing 
their job. If the Federal Trade Commission had even published a 
best practices minimum requirement for data security, we would be 
able to say that the law was clear, and that somebody failed to live 
up to those stated guidelines. But none of these exist. The Federal 
Trade Commission cannot tell you what is right; they only will 
come in and demand a consent decree if, in fact, you, through fault 
or no fault of your own, become a victim of hacking or a recognition 
of a vulnerability. 

The FTC is using its regulatory authority not to help protect con- 
sumers, but, in fact, to get simple consent decrees using the unlim- 
ited power it has to not only sue at government expense, but to 
force you before administrative law judges that, in fact, are part of 
the executive branch. Millions of dollars will be spent attempting 
to defend yourself against the Federal Trade Commission even if 
you are right. And what if you’re wrong? What if you’re wrong? 
What if something happened? What is your choice? 

Several years ago, under Chairman Waxman, I watched a dem- 
onstration of a vulnerability created by a third-party software that 
people were using to share music. I’m a techie. I was impressed. 
I saw that this software was downloaded by hundreds of thousands 
of people, put onto computers they owned or didn’t own, and it cre- 
ated a vulnerability. It was deceptive — at least according to testi- 
mony, it was deceptive in how it did it. And our own people loaded 
the software and agreed that when you loaded it, the default would 
make the hard drive of the computer it was loaded on vulnerable 
in every one of its directories, when, in fact, you were really only 
attempting to make your music directory available for sharing. 

In both public and private systems around the country, this soft- 
ware was downloaded and created what people thought was a peer- 
to-peer music sharing, and, in fact, created a vulnerability in which 
people could look at what was on your hard drive. 

We were aghast. We thanked our witnesses for making us aware 
of it, and we committed ourselves to stop the deceptive practice of 
this software company, something over which the FTC had author- 
ity and should have acted. 

But, in fact, what we are finding is that what we were told was 
only a part of the story. When information does — the question 
today is how is the FTC using that regulatory authority, and are 
they doing their job? Are they targeting the culprit or the victim? 
What information does the agency consider to be a reliable basis 
to embark? 



5 


Mr. Lynch. Mr. Chairman, could I ask you why the clock is not 
running on any of this? 

Chairman ISSA. We didn’t stop the ranking member from going 
as long as he wanted, well over the time. That’s the practice of the 
committee. I thank you. 

Mr. Lynch. That’s a good answer. Thank you. 

Chairman IsSA. What information does the agency consider to be 
a reliable basis to embark on often erroneous inquisitions, in the 
chairman’s opinion, into the activities of American companies? 

The committee held two hearings in the past, as I mentioned, 
one in 2007 and another in 2009, about the potential for individ- 
uals using peer-to-peer file-sharing programs to inadvertently 
share sensitive or otherwise confidential information. The key wit- 
ness in both of these hearings was Mr. Robert Boback, the CEO of 
a cyber intelligence firm, Tiversa, Incorporated. That CEO outlined 
numerous data breaches that deeply troubled members of the com- 
mittee. 

Mr. Boback specifically spoke about an Open Door Clinic, a non- 
profit AIDS clinic in Chicago’s suburbs in 2009. He said, “These are 
AIDS victims, 184 patients, who are now victims of identity theft. 
The clinic released their information and has not addressed it.” But 
the Open Door Clinic has told us they have no information of any 
of their patients having had their identities stolen. We do not know 
why Mr. Boback made the claim to this committee previously, and 
we will hear that today. 

Earlier this year this committee became aware, on a bipartisan 
basis, of serious accusations that Tiversa engaged in a business 
model that was not focused on protecting consumers alone, but ob- 
taining what we would say effectively is a new form of protection 
payments from businesses. As is often the case with protection pay- 
ment demands, many businesses that did not pay up faced serious 
consequences. 

Here’s how it worked. Tiversa would contact a company or orga- 
nization and tell them that they had engaged in a practice that left 
customers’ data vulnerable. Tiversa would offer to sell the company 
or organization remediation services. Many companies took their 
services and paid, at least for a while. Others refused and found 
themselves turned over to the Federal Trade Commission. 

The cost and concerns created by an FTC investigation can be 
immense, particularly to a small business that in many cases were 
the ones that Tiversa focused on. But this isn’t just about allega- 
tions of unethical corporate behavior. The committee has asked the 
Federal Trade Commission to provide us with evidence that it inde- 
pendently verified information provided by Tiversa about busi- 
nesses before pursuing action. As the ranking member said, it’s 
been a short time, but having engaged in suits, received consent 
decrees, and litigated for years, we expected that the Federal Trade 
Commission would be able to give us at least a few examples of 
independent confirmation immediately. We are still waiting for the 
FTC to show us such evidence. We look forward to it. And as I will 
say again, we look forward to hearing from the FTC in the future 
directly. 

It’s one thing for a company like Tiversa to report all of its con- 
cerns about consumer data breaches to appropriate authorities. It’s 
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quite another when enforcement authorities are selectively used, 
through a special relationship, to punish firms who refuse to pay 
for those services. 

The committee has reason to believe that information provided 
by Tiversa on which the FTC relied was inaccurate. Two of our wit- 
nesses this morning were approached by Tiversa and the FTC re- 
garding data breaches. Tiversa provided information that alleged 
data breaches in these organizations to — about these breaches in 
these organizations to the FTC only after they refused to sign up 
for Tiversa’s services. 

Mr. Daugherty, the CEO of LabMD, according to my opening 
statement, has been to hell and back. I don’t think he’s gotten back 
yet. In fact, his fight with the FTC has gone on for years. The Com- 
mission wanted him to acquiesce to a consent decree admitting that 
he did not take proper precautions to avoid data breaches. 

Given that Mr. Daugherty did not believe the allegations against 
him were true or fair, he fought back, and he did so at great per- 
sonal expense. His specialized cancer-screening company is now ef- 
fectively nonexistent. 

I will let Mr. Roesler explain his experience with Tiversa and the 
tribulations he experienced thereafter, but I especially want to 
thank him for being here today. Mr. Roesler runs, as previously 
mentioned, a nonprofit AIDS clinic near Chicago, Illinois, and has 
taken time away from his important work and agreed to join us 
this morning because of how important he believes it is to tell his 
story. 

I also want to thank Mr. Stegmaier for appearing this morning. 
He will be providing invaluable testimony about the FTC’s actions 
as they relate to going after companies that are alleged to have un- 
fair, deceptive trade practices. 

Today’s hearing is an opportunity to hear from alleged victims of 
these arrangements made between Tiversa and the Federal Trade 
Commission. Neither the FTC nor Tiversa are here today, but I do 
expect to have both of them here at a future date to respond to the 
concerns and allegations that I expect we will hear today. 

Today’s hearing is the result of a whistleblower who at great per- 
sonal expense came to this committee. This committee is grateful 
to all the brave individuals who come forward to provide informa- 
tion as whistleblowers. It is only through whistleblowers that we 
see an exposure of wrongdoing by the government as well as pri- 
vate companies. Whistleblowers are not always without responsi- 
bility. Whistleblowers may, in fact, know what they know because 
for a time they participated in the wrongdoing. Nevertheless, whis- 
tleblowers are invaluable. When someone’s conscience, whether 
they were involved or not, brings them forward, they should never 
be the target of this committee. 

This whistleblower gave us a proffer, seeking immunity only for 
what he was to testify to that he had done on behalf of Tiversa. 
He detailed for this committee information that was invaluable to 
our ongoing — to our investigation, which is only ongoing because of 
his coming forward. 

At a point in the future, I expect this committee will need to 
schedule a vote on granting immunity for this whistleblower. To 
date, we have not been able to convince the minority to consider 
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immunity for this whistleblower. Instead, at every turn the minor- 
ity has chosen to seek accusations against the whistleblower; 
against his personal wrongdoing, his personal misconduct, his per- 
sonal life. But, in fact, to our knowledge, no evidence has come for- 
ward that would in any way dispute the accuracy of the detailed 
story that he told. 

For those Members here on both sides of the aisle, if you have 
not already seen his video proffer of how he participated in the ac- 
tivity, I ask you to schedule time. Members only, to see this proffer, 
because as we consider immunity, it is important that you under- 
stand the nature and detail of the evidence and accusations 
brought by this whistleblower. 

I make no credible statement as to a whistleblower’s authen- 
ticity. What I can say in this case is without the whistleblower, we 
would not be having this hearing today. And if the whistleblower 
is guilty of a crime, the crime had to be committed by others that 
he is accusing. There can be no crime if, in fact, he is not telling 
the truth. And if he is telling the truth, he participated in a decep- 
tion that affected both the Federal Trade Commission and the 
United States Congress. 

I would ask all Members, please, take time out of your busy 
schedule to view the proffer. It is detailed, it takes nearly an hour, 
but it will lead, I believe, to the kind of recognition that you cannot 
see here today in an open hearing. 

Chairman ISSA. It is now my honor to welcome our witnesses. 
Mr. Michael Daugherty is the chief executive officer of LabMD. Mr. 
David Roesler is executive director of Open Door Clinic in Illinois. 
Mr. Gregory Stegmaier is a partner at Goodwin Procter in D.C., in 
Washington, D.C. And Mr. Woodrow N. Hartzog is an associate 
professor at the Cumberland School of Law at Samford University. 

Gentlemen, pursuant to the committee rules, would you please 
rise to take the oath and raise your right hand? 

Do you solemnly swear or affirm that the testimony you are 
about to give will be the truth, the whole truth, and nothing but 
the truth? 

Please be seated. 

Let the record indicate that all witnesses answered in the affirm- 
ative. 

For our first two witnesses in particular, you are here to tell your 
story. I know testimony is new to you. We have a 5-minute rule. 
Your entire opening statements as prepared will be placed in the 
record. But I understand that you may go over slightly. We are not 
going to hold you exactly to 5 minutes, but to the ^eatest extent 
possible, try to stay within the 5 minutes, which will help us ask 
you more questions in follow-up dialogue. 

Mr. Daugherty. 


WITNESS STATEMENTS 

STATEMENT OF MICHAEL DAUGHERTY 

Mr. Daugherty. Thank you. 

Good morning. Chairman Issa, Ranking Member Cummings, and 
members of the committee. My name is Michael Daugherty, and I 
am the president and CEO of LabMD, a cancer-detection laboratory 
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based in Atlanta, Georgia. We were a private company that I 
founded in 1996, a small medical facility that at its peak employed 
approximately 40 medical professionals who touched nearly 1 mil- 
lion lives. Thank you for the opportunity to speak to you as a small 
businessman and medical professional about my experience and 
opinion at the hands of the Federal Trade Commission. 

What happened to my company, its employees, physicians, and 
their patients is what springs from the FTC’s unsupervised play- 
book, and that playbook relies upon coercive and extortionist strat- 
egies to make large and small companies alike quickly succumb to 
FTC demands. 

In May 2008, our nightmare began with a call that could happen 
to any American. It was from Robert Boback, the CEO of Tiversa. 
And in the words of former FTC Commissioner Rosch, Tiversa is 
more than an ordinary witness, informant, or whistleblower. It is 
a commercial entity that has a financial interest in intentionally 
exposing and capturing sensitive files on computer networks. 

Mr. Boback told LabMD that Tiversa had found LabMD patient 
data on the Internet, but refused to tell us more unless we paid 
and retained them. Everyone in medicine knows you cannot go out 
intentionally looking for vulnerable medical files so you can take 
them, read them, keep them, distribute them. This is probably a 
crime, but it’s definitely vigilante behavior, and it’s outrageous. 

In January of 2010, Alain Sheer, an attorney with the FTC, con- 
tacted LabMD with an 11-page, single-spaced letter opening a non- 
public inquiry. We responded by sending in nearly 10,000 pages of 
documents, and we invited the FTC to come to Atlanta to see our 
facility, to tell us what to do differently, to tell us what their stand- 
ards were. The FTC declined. We quickly discovered that until told 
otherwise by the courts or Congress, the FTC presumes to have ju- 
risdiction to investigate any company or person. 

When we asked the FTC where they were going with this, they 
would obscurely mention consent decrees, and we learned that FTC 
consent decrees actually are this: You sign up for 20 years of au- 
dits, you enter the FTC “hall of shame” via craftily worded press 
releases and half-truth congressional testimony. The fact that you 
have not been found any wrongdoing stays buried deep in the fine 
print. And the threat of being tied up for years in court and 
drained financially is their gun to the head to extract false confes- 
sions. 

In August 2010, I had to find out what was going on here, be- 
cause something felt odd and wrong. And I learned that Homeland 
Security gave $24 million to Dartmouth to partially fund their data 
hemorrhage study. And Dartmouth stated that it got the LabMD 
file by using Tiversa’s unique and powerful technology. 

Tiversa put out a press release in May 2009 I found, which in 
part stated, Tiversa — this is their words — “Tiversa today an- 
nounced the findings of new research that revealed 13 million 
breached files emanating from over 4 million sources. Tiversa’s pat- 
ent-pending technology monitors over 450 million users, issuing 1.5 
billion searches per day. Over a 2-week period, Dartmouth College 
researchers and Tiversa searched file-sharing networks and discov- 
ered a treasure trove, a spreadsheet from an AIDS clinic with 232 
client names; a 1,718-page document from a medical testing labora- 



9 


tory. And requiring no software or hardware, Tiversa detects, lo- 
cates, and identifies exposed files in real time.” 

What does Tiversa want you to think “exposed” means? Out of 
13 million files found by Tiversa, how odd is it that the 2 men- 
tioned in their press release are sitting at this table today? 

I was stunned that nobody was asking who this private company 
was who was stockpiling other people’s sensitive information. What 
gave them the right to assume ownership? 

September 2013 to April 2014, the FTC pursued litigation 
against LabMD via their optional administrative process rather 
than in Federal court. FTC Commissioner Wright said this process 
provides the FTC with institutional and procedural advantages. 
This is lawyerspeak for the FTC stacks the deck way in favor via 
rules Congress allows them to make. They admit hearsay that 
would never fly in Federal court, which is why we aren’t in Federal 
court. Federal courts won’t intervene because Congress says they 
can’t. 

When asked about the FTC data security standards, Alain Sheer 
said, “There is nothing out there for a company to look at. There 
is no rulemaking. No rules have been issued.” Yet even without 
any standards, they show others what happens if you push back. 
They subpoenaed approximately 40 different individuals from my 
company, long-gone LabMD employees that left the company up to 
7 years before, current staff, managers, outside physicians, ven- 
dors. These witnesses were forced to retain counsel and were in- 
timidated and scared. Here is the message to all that are watching 
from the FTC: This is FTC justice, and this is going to happen to 
you if you don’t play along. 

And then the penny dropped. During the trial, a former Tiversa 
employee who was to testify regarding Tiversa’s acquisition of 
LabMD data and subsequent submission of the data to the FTC in- 
voked his Fifth Amendment right against self-incrimination. 

All Americans should be outraged by the FTC’s unchecked ability 
to pursue a claim that is not based on any legal standard; outraged 
that the FTC’s administrative proceedings do not afford the same 
guarantees of due process that our Federal courts provide; and out- 
raged with the FTC’s use of, and reliance upon, information from 
a private for-profit entity. If this has happened to LabMD, a small 
medical facility, a cancer-detection center, this can happen to any- 
one. 

This does nothing to help Americans adapt to the constantly 
changing cybersecurity landscape. We are not mind readers; we are 
law-abiding citizens. I call on the FTC to stop attacking victims of 
crimes. And I thank the committee for its time and attention to 
this matter. 

Chairman ISSA. Thank you. 

[Prepared statement of Mr. Daugherty follows:] 
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HOUSE OVERSIGHT AND GOVERNMENT REFORM 
THURSDAY, JULY 24 , 2014 

The Federal Trade Commission and Its Section 5 Authority; Prosecutor, Judge, and Jury 

Written Testimony 
Michael J, Daugherty 
CEO, LabMD, Inc. 

Good Morning Mr, Chairman and members of the Committee. My name is Michael 
Daugherty. I am the President and CEO of LabMD, Inc., a cancer detection laboratory 
based in Atlanta, Georgia. We were a private company that I founded in 1996. A small 
medical facility that at its peak employed approximately forty (40) medical professionals 
who touched nearly one million American lives. Thank you for the opportunity to speak 
to you today about my experience at the hands of the Federal Trade Commission and its 
advisor, Tiversa. 

This story transcends party politics and touches all Americans. What happened to my 
company, its employees, and the physicians and their patients that we served is 
emblematic of what can result from the FTC’s unsupervised administrative playbook. 
That playbook relies upon coercive and extortionate strategies to make small and large 
companies alike quickly succumb to FTC demands. The FTC’s reliance upon unverified 
allegations as “evidence” is an embarrassment to the agency. Moreover, its association 
with a company that extorts funds from American businesses is reprehensible and 
violative of the “pact” between citizens and their government. With the FTC, you aren’t 
just guilty until proven innocent, you’re guilty because the FTC says so. . .and dead before 
they’re done. 
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Set forth below is a timeline recounting the six year battle that LabMD has fought. Six 
years of attorneys’ fees. Six years of unfounded accusations. And, finally, after a costly 
battle and extensive carnage, the hope provided when this Committee announced its 
investigation. 

May 2008 

My nightmare began with a call that could happen to any American. It was from Robert 
Boback, the CEO of Tiversa. In the words of one FTC Commissioner, “Tiversa is more 
than an ordinary witness, informant, or ‘whistle-blower,’ It is a commercial entity that 
has a financial interest in intentionally exposing and capturing sensitive files on computer 
networks, and a business model of offering its services to help organizations protect 
against similar infiltrations.” Mr. Boback told me that Tiversa had found LabMD patient 
data on the Internet, but refused to tell us more unless we paid and retained them. 

In response to Tiversa’s call, we performed a security review and determined that no 
patient files had been disseminated. Frankly, we were appalled by Tiversa’s ‘‘protection 
racket” tactic: Everyone in medicine knows you can’t go out intentionally looking for 
vulnerable medical files, take them, read them, keep them and distribute them. Tiversa’s 
“hire us or else” threats were outrageous. But as you will see from my testimony, these 
threats fore.shadowed the actions that would lead to the demise of LabMD and the forty 
(40) full-time jobs it had created in its aim to support medical professionals in their 
assessment of cancer indicators. 
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Tiversa continued trying to scare us by asking, for example, if we had seen the story in 
the Washington Post that Supreme Court Justice Breyer had his files taken. Tiversa 
wanted us to pay them approximately $40,000 to remedy the so-called “breach.” We told 
them that we suspected Tiversa itself of wrongdoing, and asked that they no longer 
contact us. 

November 2008 

Tiversa called again — this time, aggressive, accusatory, and defensive. He said that 
Tiversa was giving the LabMD files to the FTC. We went back to diagnosing cancer with 
one eye over our shoulder, and continued to look for our patient data on the Internet. We 
never found it - there was simply no distribution of LabMD data that could be verified or 
substantiated. Because the file was not “out there”, we assumed that the FTC would 
recognize the game that Tiversa was playing, and give no additional thought to Tiversa’s 
allegations against us. No other course of action would make sense. 

January 2010 

Alain Sheer, an attorney with the FTC, contacted LabMD with an 11 page, single spaced 
letter opening a “nonpublic inquiry”. We responded by inviting the FTC to come to 
Atlanta - to see our facility; to tell us what we were to do differently; to tell us just what 
the standards are. The FTC declined. We quickly discovered that until told otherwise 
by the courts or Congress, the FTC presumes to have jurisdiction to investigate any 
company or person. 
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August 2010 

It became clear that I would have to come to my own rescue so I started my own 
research. What I discovered was Kafkaesque; 

Tiversa’s Robert Boback appeared before this Committee in 2009 and made good on his 
threat to us. Without regard to federal privacy laws, or the dignity of cancer patients, 
Tiversa had disseminated LabMD’s unredacted patient files to Dartmouth College, who 
then used the data in its study on “Data Hemorrhages in the Medical Space.” Tiversa then 
provided a redacted form of these files to both Wired Magazine and to this Committee. 


Digging deeper, I learned that the Tiversa-Dartmouth connection was this; the 

Department of Homeland Security gave $24 million to Dartmouth to partially fund the 

“Data Hemorrhage” study. Dartmouth states that it got the file for this study using 

Tiversa’s unique and powerful technology. Tiversa was so proud of this they put out a 

press release in May of 2009 which in part stated: 

“Tiversa today announced the findings of new research that revealed 
13,185,252 breached files emanating from over 4,310,839 sources..., 
Tiversa’s patent pending technology monitors roughly 450 million users 
issuing 1.5 billion searches a day... .Over a two-week period, Dartmouth 
College researchers and Tiversa searched file-sharing networks. . .and 
discovered a treasure trove. . .a .spreadsheet from an AIDS clinic with 232 
client names, SS#’s addresses and birth dates, ..a 1718 page document 
from a medical testing laboratory. Requiring no software or hardware, 
Tiversa detects, locates and identifies exposed files in real-time...” 


We now know that this is not true. We learned that Tiversa did NOT get this file as 
portrayed in the Dartmouth study and Tiversa and Dartmouth knew it. Dartmouth got 
LabMD’s files when Dartmouth said - and 1 quote - they wanted to “spice up the data”. 
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and Tiversa provided them with the file. So Tiversa - which had expressed its deepest 
concern to us in May of 2008 regarding the security of these files - was now distributing 
LabMD property without regard to my company’s patients, and still would not answer 
our questions about how the property was acquired. 

August 2011 

After twenty (20) months, hundreds of thousands of dollars in lawyer fees, and 
technology upgrades to a standard that we could only guess at, I asked the FTC if they 
needed ANYTHING ELSE from us. Their answer was no. Soon after, Alain Sheer and 
Ruth Yodaikan told us they wanted LabMD to enter into a consent decree. 1 told them no, 
as the FTC had not pointed to any wrongdoing by LabMD, and we could not consent to 
something that was not true. They said they would sue the next day. But no suit was filed 
- yet. 


December 2011 

Instead of filing a lawsuit against LabMD - and perhaps in recognition that they could 
not articulate any wrong doing by LabMD - the FTC instead served a Civil Investigative 
Demand - essentially, an administrative subpoena - upon me, commanding that I sit for a 
deposition. Based upon my conversation with the FTC in August of 201 1 that they did 
not need more information, I filed a formal objection to the CID. Unbelievably, the 
FTC’s rules precluded me from attending the hearing regarding this motion. The motion 
was denied. 
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We appealed the decision to the Commission, setting forth Tiversa’s creation of the 
FTC’s investigation after LabMD refused to retain Tiversa. While our appeal was denied, 
FTC Commissioner Rosch registered his dissent from the majority, and expressed 
concern about Tiversa’s involvement, noting that Tiversa had a commercial interest in the 
outcome of the investigation, and questioning its business model. 

August 2012 

The FTC filed suit in Federal Court to make us sit for more depositions. The Court ruled 
that the FTC can haul in pretty much anyone they want. 

February 2013 

These depositions - in which the FTC asked the same questions over and over in an effort 
to deplete our financial resources so that we would not be able to afford an appeal to 
federal court - wore down the LabMD staff and emptied our bank accounts. Finally, the 
FTC alleged that it had discovered a “hard copy” of a spreadsheet of information 
concerning 500 LabMD patients in Sacramento, California. The FTC couldn’t prove 
where it came from, and sat on the information for months without telling us they had it 
(thereby themselves violating HIPAA time notification regulations). None of this made 
any sense. 
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August 28, 2013 

The Associated Press woke me up with a phone call telling me that I had been sued by 
FTC. The public relations arm of the FTC had issued a scathing press release at the same 
time they filed suit. 

September 2013 - April 2014 

The FTC pursued litigation against LabMD via their optional administrative process 
rather than in the Federal courts. This administrative adjudication vehicle was identified 
by FTC Commissioner Wright last December as providing the FTC with “[Ijnstitutional 
and procedural advantages” over its targets. As I learned, a target gets drained dry 
financially in a forum where a judge who doesn’t agree with the FTC gets overturned by 
the Commissioners. So what is the point? The point is to exhaust your insurance, your 
lawyers, and your fortitude before you can get out of there. And federal courts won’t 
intervene because they say Congress says they can’t. 

When asked by the administrative law judge about the FTC Data Security standards, 
Alain Sheer - one of approximately twenty (20) lawyers representing the FTC in the 
matter - said, and I quote, “There is nothing out there for a company to look at..,. there is 
no rulemaking. . .no rules have been issued.” Yet even without any standards, they 
subpoenaed approximately forty (40) different individuals: long-gone LabMD employees 
that left the company up to 7 years ago, current LabMD staff, managers, physicians, 
vendors. These witnesses were forced to retain counsel, and the FTC seemed to say: 
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“This is FTC Justice and what will happen to you if you don’t play along, so cooperate 
please.” 

January 15. 2014 

As a result of the strain and expense of nearly five years of litigation with the FTC - 
litigation for which no legal standard was ever articulated - LabMD ceased its operations. 
Everyone lost their job, and doctors scrambled for a new lab. The FTC tore the soul out 
of LabMD. 

May 2014 

The trial started in Administrative Court the FTC’s headquarters. The FTC called four 
“expert” witnesses, all of whom were told to assume that LabMD had flawed data 
security practices, and to rely upon Tiversa’s unproven representations that the LabMD 
file had been “spread.” 

June 2014 

A former Tiversa employee who was to testify at trial regarding Tiversa’s acquisition of 
LabMD data and subsequent submission of the data to the FTC invoked his Fifth 
Amendment right against self-incrimination. This Committee announced its investigation, 
and the trial case was stayed. 
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H< * >l< 

All Americans should be outraged by the FTC’s unchecked ability to pursue a claim that 
is not based in any legal standard. Outraged that the FTC’s administrative proceedings 
do not afford the same guarantees of due process that our federal courts provide. And 
outraged with the FTC’s use of and reliance upon information from a private, for-profit 
entity that made good on its threat to destroy a small medical lab. Because if it could 
happen to LabMD, it could happen to anyone. (And, indeed, it did happen to Chicago’s 
Open Door Clinic and others.) 

As a reminder, LabMD was a small cancer detection lab, working to create jobs in a 
difficult economy. LabMD was shuttered because it refused to cave - first to Tiversa and 
then, as threatened, to the FTC’s unfair process. Being accused of mishandling medical 
files is fatal to a cancer detection lab. The fact that the FTC made this accusation so 
casually and recklessly was astounding. We had built a company based upon the most 
precious commodities available - trust and integrity - and the FTC had destroyed it based 
upon nothing more than an unverified accusation by a self-interested commercial suitor 
whom we had scorned. 

This Committee has the power to get answers to the questions that LabMD posed, but for 
which we were never provided a response: How, really, did Tiversa obtain LabMD files? 
When did Tiversa meet with the FTC and agree to provide the FTC with those files? 

How was Tiversa compensated for providing this information? What did the FTC know 
about Tiversa’s creation of “The Privacy Institute,” which Mr. Boback testified was 
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formed for the sole purpose of transmit information to the FTC while “provid[ing] some 
separation from Tiversa from getting a civil investigative demand”? By getting answers 
to these questions, this Committee’s work will help all Americans, and will ensure the 
fair governmental system envisioned by our nation’s founders. 


I thank the Committee for its time and attention to this matter. 
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October 5. 201(1 


rivcTSii 

Alin; Mr. Kobcrl Uohiick 

I'M limcryvillc Drive, Suite .100 

CrimbeiTy ■I'owtiship. I‘eniisylviuiiii 16060 

IlH: LiibMD. Inc. 

Dear Mr. Onbncl;; 

I am coiulticlinii an invcslij>atk)n <in behall'ori.abMD. I am invest igaiiin: the 
abuse and tni.sappn'pi iaiioii tii l.abMD's propeily that may liavc invnlvetl any lumiber uf 
legal inlVactiuns. pnssibly ineliKling but not limited m, ibell. conver.skm. e.stiiiliiin. 
trespass, privacy inlWngcnient, coptTighi inrringcmenl. computer eriitie. iind 
misappropriation ortraclc secrets. 

We have heetimc aware that a eeitain pill’ tile eonliiining insurance aging 
inlunnatkm lias eome into llie possession ol'you. Dartmouth University and Ihe United 
States l-eiieral Trade Comniission {"R'C ’'). Our invest igtil ion has not determined how 
this propeily' came into your possession. l abMD has not authorized or grantetl 
permi.sskm to anyone to ttiko (los.sesskiti ol'tliis properly or to ii.se, pioee.ss. or change it in 
any way. 


I'or e.xantple. we sec a redaeleit version oC l.abMD'.s property published in the 
lotlowing ll'ircil ,\lii};tizhu' ailiele, “Acadeinie Claims to l•■iltd Sensitive Meilieal Inl'o 
lixposeil on Pcer-to-Peer Networks" e Inip;/Avww. wired. eom/tlirealle vel/2t)()U/(l.'l/p2p- 
iielworks-le''-. Mr. .'Main Sheer !iiul you have both inltirmcd LtihMI) that they po.ssess 
this projierty. More than one news article has rerercncetl this propeily in a way 
sugge.sting that it is in the [losscssion ol' I’rol'es.sor lirie .lohn.son and Daftnioiilh 
University. At this stage ol'the investigation, we have many unanswered ipicstimts. We 
ask that you eoo]rerate with our investigation in answering the liillowiiig iiiiestions: 

DKI'liNiriONS 


Aeeorilingly. as tisetl tierein. llte terms "you" or "yoor" rcl'ers. without limiltuions. 
to (he recipients ol'lhis letter, their reprcsenlaiives. agents, and all persoiKs acting in tlieir 


hehair. 


21 


Tiversa 

October 5, 2010 
Page 2 of 4 

As used herein, the term “record" shall mean any electronic, written, recorded, or 
graphic matter, whether produced, reproduced or stored electronically, on papers, cards, 
tapes, bells, or computer devices of any other medium in possession, custody or control 
or known by you to exist and includes originals, all copies of originals, and all prior 
drafts. When the term "identity," Is used in conjunction with the teim “record," )ou are 
to state, with respect to such record: (1) the date of the record; (2) the identity of the 
person who has custody or control over the record; and (3) the nature and substance of 
the record, all with sufRcient particularity to enable it to be identified in a notice to 
produce. 

"Identity," with respect to a person, firm, corporation or other entity, means to 
provide an exact name, place of business, address, and telephone number. 

"Identity," with respect to any record, means to provide the title and date of such 
record, the identity of the person preparing it, the identity of the custodian of the record, a 
description of the type of record (e.g., electronic data file, photograph, report, summary, 
etc.), database filename, and a description of what each record contains, depicts, reveal 
or says. 

As used herein, the term "date" shall mean the exact day, month, and year if 
ascertainable, or, if not, the best approximation including relationship to other events. 

INVESTIGATIVE QUESTIONS 

1. What method, manner, services, technologies, and/or parties were utilized to 
access and obtain possession ofLabMD’s property? 

2. Have you shared LabMD’s property with anyone, whether redacted or not? If so, 
with whom and under what circumstances? 

3. Do you have a financial or business relationship with Dartmouth College or the 
United States Federal Trade Commission ("FTC’) that would be relevant to 
LabMD’s property and/or your access and/or possession of LabMD’s property? 

4. To 3 ^ur knowledge, what are and have been the financial, business, or other 
relationships between you and/or Dartmouth College and/or the FTC? 

5. Please identify ail records and data you possess that belong to LabMD or pertain 
to LabMD. 

6. Please identify any and all records and data belonging or pertaining to LabMD 
that you have accessed or reviewed, whether currently in your possession or not. 


Tiversa 

Oaober 5,2010 
Page 3 of 4 
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7. Please identify and disclose the identity of any and all communications you have 
had with Dartmouth College, the FTC or any other individual or party regarding 
LabMD or its property. 

8. If you have engaged in communications with anyone regarding LabMD or its 
property, whether specifically naming LabMO or not, please state the purpose and 
content of any such corrununications. 

9. Please provide the dates and form of any communications listed in response to 
items numbered 7 & 8 above. 

10. What was your justification for accessing, taking possession, processing, storing 
and/or examining LabMD’s property? 

1 1. Please provide a full explanation of tow you examined, interrogated, changed, 
processed, stored and/or transmitted LabMD’s property. 

12. What was your Justification (br opening any file ttot is LabMD’s property? 

13. Please provide a fUH explanation of the security that you have and are now 
applying to any and all property belonging to LabMD. 

14. Please provide a fiill explanation, if you have destroyed any records, related to 
your acquisition, processing, or possession of LabMD’s property or records. 

15. If you have destroyed any such records referenced in item no. 14 above, please 
identify each record and the date each record was destroyed. 

1 6. Were you involved in (or have you witnessed on the part of any other recipients to 
this letter) a pattern of conduct, involving taking property like LabMD’s property 
in connection with attempts to solicit the property owners as clients, threats to 
expose the property to authorities, and/or efforts to reap benefits from the 
property. 

Please be advised that you should take the necessary steps to preserve and 
safeguard any LabMD property in your possession, and any and all records related to 
your possession of LabMD’s property, included but not limited to, electronic mail, 
metadata, and IT logs. 

LabMD intends to take all appropriate steps to protect its rights and to protect the 
integrity aixl security ofthe data contained in its property. 

LabMD takes a very dim view of this abuse of its property. This is a serious 
investigation that nay involve many stages. We ask that you provide (xrmplete answers 
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Tiversa 

Octobers, 2010 
Page 4 of 4 

to the fi>regoing Invwtlgatlve questions within thirty (30) days of your receipt of this 
letter. 


Thairic yovt in advance ibr your cooperation wfth this investiptbn. 



Stophen'^Fusco' 
General 


cc: Philippa V, Ellis, Esq. 



Ocuibcr 5. 2010 


DuriiiKuilh C ollcgc 
Oriiceoflho Ociicra! Couascl 
All!),; Robert H. Doniii, lisq. 

14 .South Miiin Street. Suite 2C 
Mtimu'cr. New litmipshiru 0.'i75.'i 

RE: LabM!.-). luc. 


Deal- Robert: 

i am coiKlucliug nii iiivc.'iliuulion mi bebairorLahiVlD. I uin iitvesligiiliii!; the 
abuse titui mistippropt'iiilkm ol' LahMD'.s property tlial may htivc iiivolveti any luiinhcr <it' 
legal iiiihiciion.s, possibly incliuliiig but not liniiial to, ihcll, coiivcrsii’m, cxlortion. 
lre*s)iiiss. privacy itil'riiigciiicnt. co|!yriglii inlViiigcmciit. coiupuicr crimv. aiul 
luisiippropriaiion ol’ti-atlc .scorcl.s. 


We liiiv'c become iiware (hat a cerlaiti pdf Hie cotitainiiig iii.surtiiice tigiiJg 
inltimialioii has come into the possession ofOr. iVl. Erie .lohn.son, Tiversa iuul the Uiiiletl 
Slates l•■e^leral Trade Commission (''I•T<"’). Our investigaiimi has not iletermitictl how 
this property came into ilieir pos.session. l.abMD has not authorized or granted 
pennission to tinyone to take posses.sion olTliis properly or to use, ]>roeess. or change it in 
any wtiy. 

For example, we see a rctlaeicd version of l.tibMD's property publishctl in the 
roHinving K-Vm/ article. "Aeademic Ciaims to Find .Sensitive Medical Inlb 

Fi.xpo.scd on I’eer-to-i’eer Networks” • hllpt.dwww. wired. eiinidhrcallo vcl/2(!(ld'<)3/p2)i- 
networks-k" ■■ Mr. .Alain .Slieer ami I'iversa have Imlh inibrmed l.abMD that they 
possess lliis properly. More than one new.s tirliele lia.s relcrenced this property in :i way 
suggesting tluit it is in the possession of I’rolessor Erie .lolmson and Tiversa, At this 
.stage of the investigtilion, we have many tinanswcrctl riuestion.s. We ti.sk ihai ytui 
cooperate with our investigation in answering the rollowinu cjuestions: 

DKMNITIONS 


/Xccordingly, as used herein, the terms •■you” or “ymir” refers, without limilutions, 
to tile rccipieni.s ol'ihis ieller, their representatives, agents, and all persons acting in their 
beltalf. 
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Dartmouth College 
Octobers, 2010 
Page 2 of 4 

As used herein, the term “record" shall mean any electronic, written, recorded, or 
graphic matter, whether produced, reproduced or stored electronically, on papers, carfs, 
tapes, belts, or computer devices of any other medium In possrasion, custody or control 
or known by you to exist and includes originals, all copies of originals, and all prior 
drafts. When the term "identify," is used in conjunction with the term “record," you are 
to state, with respect to such record: (1) the date of the record; (2) the identity of the 
person who has custody or control over the record; and (3) the nature and substance of 
the record, all with sufficient particularity to enable it to be identified in a notice to 
produce. 

"Identify," with respect to a person, firm, corporation or other entity, means to 
provide an exact name, place of business, address, and telephone number. 

"Identify," with respect to any record, means to provide the title and date of such 
record, the identity of the person preparing it, the identity of the custodian ofthe record, a 
description of the type of record (e.g., electronic data file, photograph, report, summary, 
etc.), database filename, and a description of what each record contains, depicts, reveals, 
or says. 


As used herein, the term "date" shall mean the exact day, month, and year if 
ascertainable, or, if not, the best approximation including relationship to other events. 

INVESTIGATIVE QUESTIONS 

1. What method, manner, services, technologies, and/or parties were utilized to 
access and obtain possession of LabMD’s property? 

2. Have you shared LabMD’s property with anyone, whether redacted or not? If so, 
with whom and under what circumstances? 

3. Do you have a financial or business relationship with Tiversa or the FTC that 
would be relevant to LabMD's property and/or your access and/or possessbn of 
LabMD's property? 

4. To your knowledge, what are and have been the financial, business, or other 
relationships between you and/or Tiversa and/or the FTC? 

5. Please identity all records and data you possess that belong to LabMO or pertain 
to LabMD. 

6. Please identify any and all records and data belonging or pcrtauiing to LabMO 
that you have accessed or reviewed, whether currently in j^ur possession or not. 
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7 . Please identify and disclose the identity of any and all communications you have 
had with Tiversa, the FTC or any other individual or party regarding LabMD or 
its property. 

8. If you have engaged in communications with anjwne regarding LabMD or its 
property, whether specificaUy naming LabMD or irol, please state the purpose and 
content of any such communications. 

9. Plrase provide the dates and form of any communications listed in response to 
items numbered 7 & 8 above. 

to. What was your justification for accessing, taking possession, processing, storing 
amd/or examining LabMD’s property? 

tl. Please provide a flill explanation of how you examined, interrogated, changed, 
processed, stored and/or transmitted LabMD’s property. 

12. What was your justification for opening any file that is LabMD’s property? 

13. Please provide a full explanation of the security that you have and are now 
applying to any and all property belonging to LabMD. 

14. Please provide a full explanation, if you have destroyed any records, related to 
your acquisition, processing, or possession of LabMD’s property or records. 

15. If you have destroyed any such records referenced in item no. 14 above, please 
identify each record and the date each record was destroyed. 

1 6. Were you involved in (or have you witnessed on the part of any other recipients to 
this letter) a pattern of conduct, involving taking property like LabMD’s property 
in connection with attempts to solicit the property owners as clients, threats to 
expose the property to authorities, and/or efforts to reap benefits fiom the 
property. 

Please be advised that you should take the necessary steps to preserve and 
safeguard any LabMD property in your possession, and any and all records related to 
your possession of LabMD’s property, included but not limited to, electronic mail, 
metadata, and IT logs. 

LabMD intends to take all appropriate steps to protect its rights and to protect the 
int^rity and security of the data contained in Us property. 

LabMD takes a very dim view of this abuse of its property. This fe a serious 
investigation that may involve many stages. We ask that you provide complete answers 
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to the foregoing investigative questions within thirty (30) days of your receipt of this 
letter. 


Thank you in advance for your cooperation with tius investigation. 



cc; Philippa V. Ellis, Esq. 
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OuUibcr 5, 2010 


Dr. M. Eric Jolniwin 

Tuck Schiiul orBiwiiitss 

Dartniuull) Cuilcgc 

100 Tuck Hiili 

.Mail Box No, 0000 

llanuvcr. New Maiiipshirc 0.1755 

Ri-:-. Inc. 

Dear Dr, Johnson: 

I am conducling an invcsligalimi on hchall'ol'l.ahMD. i am invcsligaling i!ic 
alnisu ami misapproprimion orLahMD’s propeny iliai may have involved any iiimihcror 
legal inlVaclions, po.ssihly including Inn noi limiicd lo, ihell, conversion, c.xiortion. 
ircspa.ss. privacy inlVingcmcm. copyriglit inl’i iiigcmcm. compuicr crime, and 
misappropriaiion olTradc secrets. 

We have hecnine tiwarc (hat a certain pdC lile ctinlaining insurance aging 
inlorniation has come into (he possession ofyou, Tiversa tintl the United .States l-'cdcriii 
Trade C'ommi.ssion (’'FTC"). Dur iiivcsligation has not ticiermincd Itow this properly 
came into your po.ssession. I.ahMD has not aiithorixei! or granted permission to anyone 
to take |Hisscssion oCthis properly or to use. (iroeess. or ehiinge it in any wjiy. 

h'or example, tve see a redacted version of LtibMD’s property published in the 
Ibllowing Il'irc't/ Ma^itciite article. '‘Aeademie Claims lo Find .Sensitive .Vledietil Inlb 
Exposed on Peor-lo-l’eer Networks” •'•hltp://u'w\v.wiretl.eonFlhveiillevel/2<IOb/().V'(i2p- 
nelworks-lce-. Mr. .Main Sheer and Tir'crsa have both inlbrmed I.ahMD that they 
po.sse.ss this propeny. More than one neivs article ha.s relereneed liti.s property in a wtiy 
sugge.sling that it is in your possession and Tiversa's po.sses.sion. .At this .stage of the 
investigation, we have many unanswered ipietaions. We ask that you cooperate with our 
investigation in answering the following cpie.sl ions; 

nRFINI'nON,S 

Accordingly, as used herein, the ternrs "you” or "your" refers, wiiltout limitations, 
to the recipients ofthis letter, their representatives, ancnls, and iill persons acliiie in their 
behalf 
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As used herein, the term “record" shall mean any electronic, writtci, recorded, or 
graphic matter, whether produced, reproduced or stored electronically, on papers, cards, 
tapes, belts, or computer devices of any other medium in possession, custody or control 
or known by you to exist and includes originals, all copies of originals, and all prior 
drafts. When the term "identify," is used in conjunction with the term "record," jou are 
to state, with respect to such record; (I) the date of the record; (2) the identity of the 
person who has custody or control over the record; and (3) the nature and substance of 
the record, all with sufficient paiticularity to enable it to be identified in a notice to 
produce. 

"Identify," with respect to a person, firm, corporation or other entity, means to 
provide an exact name, place of business, address, and telephone number. 

"Identify," with respect to any record, means to provide the title and date of such 
record, the identity of the person preparing ft, the identity of the custodian of the record, a 
description of the type of record (e.g., electronic data file, photograph, r^rt, summary, 
etc.), database filename, and a description ofwhat each record contains, depicts, reveals, 
or says. 


As used herein, the term "date" shall mean the exact day, month, and year if 
ascertainable, or, if not, the best approximation including relationship to other events. 

INVESTIGATIVE QUESTIONS 

1. What method, manner, services, technologies, and/or parties were utilized to 
access and obtain possession ofLabMD’s property? 

2. Have you shared LabMD’s property with anyone, whether redacted or not? If so. 
with whom and under what circumstances? 

3. Do you have a financial or business relationship with Dartmouth College or the 
FTC that would be relevant to LabMD’s property and/or your access and/or 
possessbn ofLabMD’s property? 

4. To your knowledge, what are and have been the financial, business, or other 
relationships between you atul/or Dartmouth College and/or the FTC? 

5. Please identify all records and data you possess that belong to LabMD or pertain 
to LabMD. 

6. Please identify any and all records and data belonging or pertaining to LabMD 
that you have accessed or reviewed, whether currently in your possession or not. 




Dr. M. Eric Johnson 
October S, 2010 
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7. Please identi^' and disclose the identity of any and all communications you have 
had with Dartmouth College, the FTC or any other individual or party regarding 
LabMO or its property. 

8. If you have engaged in communications with anyone regarding LabMO or its 
projrorty, whether specifically naming LabMD or not, please state the purpose and 
content of any such conununications. 

9. Please provide the dates and form of any communications listed in response to 
items numbered 7 & 8 above. 

10. What was your justificatbn fbr accessing, taking possession, processing, storing 
and/or examining LabMD’s property? 

11. Please provide a ilill explanation of how you examined, interrogated, changed, 
processed, stored and/or transmitted LabMD’s property. 

12. What was your justification for opening any file that is LabMD’s property? 

13. Please provide a fhll explanation of the security that you have and are now 
applying to any and all property belonging to LabMD. 

14. Please provide a full explanation, if you have destroyed any records, related to 
your acquisitbn, processing, or possession of LabMD’s property or records. 

15. If you have destroyed any such records referenced in item no. t4 above, please 
bentiiy each record and the date each record was destroyed. 

16. Were you involved b (or have you w&nessed on the part of any other recipients to 
this letter) a pattern of conduct, mvolvbg taking property like LabMD’s properly 
in connection with attempts to solicit the property owners as clients, threats to 
expose the properly to authorities, and/or efforts to reap benefits from the 
property. 

Please be advised that you should take the necessary steps to preserve and 
safeguard any LabMD property b your possession, and any and all records related to 
your possession of LabMD’s property, included but not limited to, electronic mail, 
metadata, and IT logs. 

LabMD blends to take all appropriate steps to protect its rights and to protect the 
btegrity and security of the data contabed b its property. 

LabMD takes a very dim view of this abuse of its property. This is a serious 
bvestigation that may mvolve many stages. We ask that you provide complete answers 
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to the torching investigative questions within thirty (30) days of your receipt of this 
lettw. 


Thank you in advance tor your cooperation with this investigation. 


Bes t ^ardSi 



Stephen FNEsjsro^ 
Oeneral Cot^ 


cc: Philippa V. Ellis, Esq. 
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I h "guardian 


TECHNOLOGY 


Dissent in the ranks: why one FTC 
commissioner didn't like Google's fine 

The $22. 5m fine handed out to Google over its cookie-tracking of 
Apple users didn't satisfy one of the five Federal Trade 
Commissioners, But why not? 




riickiiig ofAitjiit' umts aUr.iv.hHl a i'itie was }!ia{ enuti'^h? t Huger 'IVtotfi fur 

lilt: (lii.ii iliaii 


One point that got mostly overlooked in the Federal Trade Oomniission f ITC 1 Fine 
agai nst GQ<.)gle - $22.5111, which would be a lot for you or me, but amounts to about 1 5 
hours’ operating profits based on the company's operating profits from its second 
quarter - wa.s the dissenting opinion of one of tlie five comiiiissioner.s, J Tlionias Roscli, 
from the majority. 


h!tp:/Avsw/.ibs(}uafdian.craiViEichno)o(j;#'Wcig/2O1?/nii0/1O/gQOo!9-florin©-tfiss«rt 
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(Update: Rosch has again dissented after the PTC settled with Facehnok over its 
altering of privacy settings. More in the piece below.) 

The commissioners split 4-1 in what they thought should be the correct way to treat 
Google over its behaviour. In fact, Rosch's dissent was so strong that the other four had 
to write an opinion (PDF) explaining their reasoning. 

But first, here's Rosch's beef. In his minority opinion (PDF), he says that he thinks that 
the FTC Act obliges him (and the others) 

to determine whether there is both 'reason to believe' there is liability and 
whether the complaint is in the 'public interest' before we vote out any 
complaint, whether it be a litigation complaint or a consent decree. 

Clear enough so far? He's setting out what the ground rules are for deciding whether to 
vote on something: liability and public interest. 

Now it gets interesting. 

There is no question in my mind that there is "reason to believe" that 
Google is in contempt of a prior Commission order. However, I dissent from 
accepting this consent decree because it arguably cannot be concluded that 
the consent decree is in the public interest when it contains a denial of 
liability. 

That is; if Google won't agree that it is liable for what it has done, then Rosch doesn't 
think it should be let off with just a fine. I n fact, he's really quite vexed (reading between 
the lines) at the fact that all Google does accept about the FTC is that it has jurisdiction, 
and that it's doing this in the right location: He points to the FTC Order (handing down 
the fine) which says "[The] Defendant [Google] denies any violation of the FTC Order, 
any and all liability for the claims set forth in the (Complaint, and all material allegations 
of the Complaint save for those regarding jurisdiction and venue." 

Yet, at the very same time, the Commission supports a civil penalty of$22.5 
million against Google for that very same conduct. Condoning a denial of 
liability in circumstances such as these is unprecedented. 

He also points out that Google has been charged before with "engaging in deceptive 
conduct" over Buzz, its social network which enrolled you whether or not you really 
wanted to be enrolled (much the same as Google+, in fact, though that seems to handle 
privacy rather better - so much better that nobody can tell how much of anything 
actually goes on there). Google, says Rosch, is essentially being charged with contempt of 

2ffl 


htlp:/AMiw.thegu9(lan.corTyiedinologybl09/201^atjg/1Q[googl»'flc>fin»K[issenl 
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the FTCs Consent Order over Buzz - which is how it got into this whole thing. 

Says Roschi 

"This scenario - violation of a consent order - makes the Commission's 
acceptance of Google's denial of liability all the more inexplicable," 

He points out that Saa.gm "represents a de minimis amount of Google's profit or 
revenues." But it's even worse, he says: 

"the Commission now has allowed liability to be denied not only in this 
matter but also in the Facebook settlement where Facebook simply 
promised to 'go and sin no more' (unlike Google, Facebook was not 
previously under order). There is nothing to prevent fijture respondents 
with fewer resources than Google and with lower profiles than Google and 
Facebook from denying liability in the future too." 

And that's the real nub of Rosch's complaint with the mamjority decision; that if you let 
Google (and Facebook, which was also put under a consent order essentially for 
swapping around its privacy rules so often) off without admitting that what they did was 
wrong, then others will too. And if you don't do that, then it becomes one law for the big 
guys with hefty lobbying operations , and one law for the small ones. 

For complete clarity, I emailed the FTC on Thursday, and Commissioner Rosch's office 
responded to my queries as follows: 

Commissioner Rosch doesn't think that the Commission has any business 
accepting a denial of liability when l) Google sees fit to pay over $22 million 
in civB penalties; 2) Google is in clear contempt of a Commission order; and 
3) there is no limiting principle, so that the acceptance of a denial of liability 
in this case represents a precedent for respondents less well-heeled and 
with a lower profile than Google to also negotiate a denial of liability. 

Commissioner Rosch notes that the FTC has a precedent here — it is to 
allow defendants to "neither admit nor deny" liabUity. The Commission just 
didn't hold Google to that precedent in this case. 

Update: in his Facebook dissenting opinion (PDF), Rosch says: "1 cannot find that 
either the "reason to believe" or the "in the interest of the public" requirement is 
satisfied when, as here, there is an express denial of the allegations set forth in the 
complaint." So it's just as with Google: Rosch feels that companies should take 
responsibility for their actions (or inactions) - and wants the FTC to shift to a model like 


ht4>-77wAw.theguar(fian.ccn^i^vulogyblog/2012/aug/1(ygaogle-fU:-line-^ss«nt 
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the Securities and Exchange Commission, where if you deny the charges then you can't 
be part of a consent order (essentially, getting you out of going to trial). 

There's certainly evidence that within the FTC, Google isn't exactly flavour of the 
month. In a call with reporters, David Vladeck, the director of the FTC's bureau of 
consumer protection, pointed to other privacy screwups by Gocigle - Buzz, the Street 
View Wi-Fi data collection - and said "The social contract has to be that if you're going to 
hold on to people's most private data, you have to do a better job of honoring your 
privacy commitments". He wasn't impressed by Google's explanation that the cookie 
workaround was unintentional: "As a regulator, it is hard to know which answer is 
worse; 'I didn't know' or 'I did it deliberately'." 

Google's statement, beyond which it's not shifting, is that "We set the highest standards 
of privacy and security for our users." 

But if Rosch was the dissenter, why did the other four think it was OK to let Google off 
without admitting liability? Here's what they say: 

Here, as in all cases, a defendant's denial of liability in a settlement 
agreement has no bearing on the Commission's determination as to whether 
it has reason to believe the defendant has violated the law or that a 
proposed settlement will afford appropriate relief for the Commission's 
charges. To the contrary, the Commission acts based on its consideration of 
the staff's investigative work, and in this instance we have strong reason to 
believe that Google violated its order. 

In other words: denying that you killed somebody doesn't cut much ice when you're 
found holding the knife still in their heart. (Or, less dramatically, denying you ever took 
those cookies isn't much use when you've been photographed on CCTV with your hand 
in the cookie jar.) 

The key question, the commissioners say, is whether Google will now abide by the 
consent order. The fine, they imply, is a big whack on the back of the hand for Google 
"when the accompanying complaint does not allege that the conduct at issue yielded 
significant revenue or endured for a significant period of time." That's an important 
point, since there's absolutely noway of knowing how much revenue - if any - Google 
actually derived from what it did. 

Yet simple measures of revenue aren't the key point. What's really important, as 
Vladeck said, is whether we, as consumers, can trust companies with our data, because 
our data is becoming all that there is of us (and if you don't believe that, read again about 


Ntp:/MwA'.theguardl8acaiT^lvnfogyt^og/2012/aug/1iygo(^l&*ftc-l1r«- dissent 
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bnology writer : 


' a couple of hackers who 


wanted access to his Ttvitter account). 


And after this fine, and with the EC still pondering whether it accepts Google's offeri oes 
to .solve it.s antitrust questions over search, and the FTC - them again - pondering the 
qu e.stion of whether Google ha.s ahirsed it.s dominant position in search , and with the Wi- 
Fi/Street View issue rumbling on in Europe (with the German data protection 
authorities considering what action to take, and now the UK's Information 

Book scanning controversy still rumbling on too, one wouldn't say that Google is out of 
the woods yet. Even if the FTC's fine represents less than a day's profits, the effects on 
its reputation could linger for a lot longer. 


Get the Guardian's Zip file email 

For ai! you need to know about technology in the 
world this week, news, analysis and comment. 
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From; Johnson, M. Eric <M.Eric.Johnson@tiick.dartiTiooih.<KJii> 

Smii Tuesday, April 29, 2008 4;59 J»M 

To; CIjris Gonnlcy <'cgormley@tiversa.com> 

Stibjeef; RE: WSi article 


Yes, we concluded that insurance/hmo should bo our next subject! 1 am sitting on an airplane waiting to take off. You 
around in the urn? 

i: 


Original Message — 

From: Chris Gorinley <cgorntley@tiversa.com> 

Sent: Tuesday, April 29, 2008 3:43 PM 

To; Johnson, M, Eric <M.Eric.Johnson@tuck.dartmouili.cdu> 

Subject; RE; WSJ article 


Medical is a treasure trove of information, but it's not necessarily 
coming from big hospitals. WeVe got ions ofindivldual pnicfioiicrs 
(most notably psychiatrists) who disclose (since they write up Jlwir 
findings). 


I'd like to give you a quick call regarding the inJb • tvhat's your 
number? 1 can't fmd your card right now,. 


From: Johnson, M. Eric [ntailto:M.Eilc.Jo]»nson@nick.dartinouth.eduJ 
Sent: Tuesday, April 29, 2008 I ;27 PM 
To: Chris Gormley 
Subject; WSJ article 


Thunks • I had not seen It yef. 


We aie coming well on the medical illes - finished going tlirough all the 
files. Wc are workii^ on the repoil right now. We tunred up some 
interesting stuff * not as rich as dte banks, but j guess that could be 
expected. Any chance you could share a couple other of your recent 
medical finds that wc could use to spice up the report? You told me 
about (he one database your found l!uU could really boost dw impact of 
the report. Certainly will coordinate with you on the report and 
release. 1 forgot to ask - did you guys also grab searches related to 
our digital signature? 


Eric 
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From: Chris Gormley [maUlo:cgormley@tiversa.c<mi| 
Sent: Tuesday, April 29, 2008 I f :38 AM 
To: Johnson. M. Eric 
Subject: FW; WSJ article 


You’ve prob^iy seen this, but good read. 


From: Robert Boback 

Sent: Tuesday, April 29, 2008 1 1:33 AM 

To; Chris Gormley; Griffin Schultz; Katy Everett; John P. Daunt; WIHlam 
Ferguson 

Subject: WSJ article 


Ch<^k (Kit this scanned copy of an article in today's WSJ. 


Page 2 is important for agencies that specifically highlight the 
existing laws around breaches. 


Also, it mentions that over 200 CRIMINAL cases have been filed with the 

DOJ since 2003 regarding HIPAA there are consequences for 

inactivity. 


Robert Boback 
Chief Executive Officer 


Tivetsa, Inc. 

Hie Leader In Information Containment Management 

144 Emeryviile Drive, Suite 300 
Cranberry Tovwiship, Peraisylvania 16066 
1 724-940-9030 Office } 724-940-9033 Fax 
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BUILD A 
BETTER BOARD 

SEE HOW A SOLID BOARD OF DIRECTORS CAN POISE 
A COMPANY FOR SUCCESS 


BY EVAN PAHAK, CONTRIBUTING WRITER 

IhiMinti lin piieciivc tmrd of - ,vk/ 

.1 mufiiiti'on i'iiivOiOry imrd ■ - j.'; » cf^llio'Vh 
tint mil foryoiff!{/ iL^li Ciitiu'oinoi^- 
Jliis of Gottir'g H Uaw 

«;c-.s /)(;>•; fM>'so. .1 Cfdobmry Utm l«(if otkts 
fj.Wii sdcaniy umirns. sitccossunty im'i if is 
' by ivmuv} mjk 

R otircc! Gon. Weaisy CkitK. 

Foonor oQoy COO Mayruifl 
WfibiJ. Hov/ard Schirwll. 
riifjrv iiinkirtQ cybersvacurliy olficmi 
iho WhtU? House, E*auick Gross, Ca- 
f-our'ijc' of Acnoficsn 
Sysliifns. 

If that si'juncis like an forco 
uo<nmis.5ion«ci by ihe irvuuciaUiclic: 
Council, inai's exccily wl'rat BoIj 
B oDuck intonrjocl, BobacH, Tivors.Vs 
Co-FouficiBr (vvill'i Sam Hopkins) oot( 
Ci:X.). kjnciet:l thon\ all lor iho firm’s 
<idvi:>ory bonrd, U w/ns, U> n.'iy Uk) 
an aitibiliOLis ur^dcrlokinr). 

“Vdo wore focused or> noiliiK} 
ckwniij and revenue,” Boback snys. 
"So whitn we conskierwJ advisflrs. 

’.ve cisKod ourselves, 'Who cnn pro- 
vide lotroducaons? Woose crtxlibilily 
c:in wo ievorage to get where wi.- 
need to bo?'" 

Because of his high-invei market- 
ing f-ixporionco, Gross ’wm tho iniuei 
liirgo!. 

"Goltincj that first advisoi, tf^nt 
bcucruiead. is tho most important 


BobacK says, ’’so long os you 
can gel it ’.vithoui hiving up too much 
rjf the con?pnny. That's Iho ideal situn- 
lion, and \ve managed to do that." 

Tapping the contacts of its lead 
Series A investor. Aooma Capital 
Maii.igeinent, Tivorsa added thn 
other powedtouses wito became) 
stepping-stones to effents , . . and 
mom. 

Clark, ficstt off his bid for tiio 
?00‘1 Democraiir, presKioinial nonii 
nation. proviOea enfroe to <iuvr>rn. 
rnent agsncu.-s VVehl> Iveip^rj per- 
•suade other eBay stars - formor 
MarNeting Cl)<of Michrua Dearinq, for- 
mer CTO Lynn fti-.>edy. former 
Operations Vice Presklcni Tom 
Keovan - lu round out Tivorsa'e 
sevon-rneinbcf advisoiy boaref. 

V\'ith its aiJvisers iRaoimj itio wny, 
liversa has adiiovod iijiriaikatrle suc- 
cess for a company only four years 
old. Tttough It woft't disclose customer 
n.omes because of ttu) sunsitivity of its 
business. Tiversn is handiii^g enter 
prise seciir.ty for clients tf\yl Boback 
describes as Global 50." wiih n,a(k9t 
capitalizations ranging trorn $30 tutlion 
to more than $2(10 billion. 

Its advisory boat'd — unci art 
equally capable board of dlroclors 
- have been the keys to Tivois.i’s 
rajxd rise. Here are othar lessons 


start-ups can lerirn from Tivers.i’s 
boaref-buitding 

DEVELOP A FIRST-RATE PRESENTATION 
fN MUtTfPie FORMATS 
fo reef in Scttmidi. Tiv<!is.:i had to 
persuade liim that its lechnology and 
loam were ren!, and they had only n 
single meeting in Wiiyhington, D.C. to 
do the job, Tiversa's pr-;,')Oniation vvii& 
so effective that, at .‘it-sslon's end, 
Schmidt apfcyd to sign on, 

"At this lovul, you pal orU) shot. 
Boback notes. 'You iiavv* lo oriio 
thent wiitiin ihosr:; itml firw miriutu'! 
and prove to thnfri iiiat inoy need to 
be with you. S-Min'tg to nn udveser ii 
iust like sfilting to ci client. It wn'l he 
lust to gisnoiate rnortey or leverage 
(herr conne-cltonH. Tiiore tips to bo 0 
story attnctiiid, Tull uibmi why you'ro 
passionnto abotrl what you'ru doing, 
They’ll fuel tlie piiswon arid gravitate 
to'.vardr. it " 

Tlvtijsa pitchvid to Clark through 
another mediuni - a W<»bFx demo, 
Different format, '.uvno results. On tho 
strength ot demo, Clark ugrcK) to 
a New York mecUrui and came 
onboard shortly thcmriftc-i. 

"Potentm! .advisf'''; uu.'i'i want 
blOth«r,'' aays vtoo! Adams. Foundi^r 
and Gensrai Parinor ot Acimns 
Capital, vrho survus on Tivcrsa's 


“Potential advisers don't 
want blather," says Joel 
Adams, Founder and 
General Partner of Adams! 
Capital, who serves on 
Tiversa’s board of direc- 
tors. “They want their 
time respected.. You do. . 
that by telling them why 
they sliould be interested 
— and telling them- now. 
You can get to the pleas- : 
antries iater.” ‘ 


bonwl dii^clofS. "They vdoni thc/r 
litna Tojupeitlttci. You do tltnt hy teiiinp 
thorn why thtiy shonki be intereblecl — 
and toiling them now, You onn got lo 
ihu piofiflOfUrlRa lauir," 

PLAN — AND BUDGET FOR ~ BOARD 
DPIIDN PACXADCS 

Althouciti Ihi!! company waa prepared to 
customwe equity offers to nteei the 
HfKKfe of tie talented advisers, the stftn- 
dard package Tiveraa clevofofted 
proved to bf> satisfactory'. That enabled 
fiverva to stick to its Oudgelecl num- 
bers for options - art irnpcsrlant consitf* 
fifnliort, ‘Since it artticipates offeting 
adriflional option.'? In fitture funding 
roiHTdS. 

Rortsemoer also that if you grant 
options down the oxid, whather to 
investOF'i. directors or staff, the oqulfy 
of the eariioBi investors and board 


members Skely will be diluted. 
Observes Soback: 

'‘Nobody wins with dilution imless 
we caiT point to the fact that raising 
more cajista! will generate more mv- 
enue more quinkiy, so that in the long 
run. yoitf percentage of tiie company, 
attljougf) a smatfer number, is worth 
more. Advisers doiYt want to <!iiuie. 

EC they’ll do whatever they can to 
make this company successful.'’ 

KEEP YOUR BOARD OF 
DIRECTORS KIMBLE 

SigiTiiicjufTt outsichs investment iisuaily 
brings with it the need to formalize a 
board structure Wiat may have been 
iooso in the formative months. Tiversa 
turned to Hs courifiet, Morgan, Lewis & 
Btx;kius. lo create that structure and 
accompanying documents. 

"Yes. you need the formality and 
ihe paj)efs." confirms fine Kfine of 
Morgan Lewis. "'Bui more than any- 
thing you need chemistry. Tiversa 's 
board mernbeis are v/orlti-class. each 
adding valuable insignt, the whole 
ftinciiorving connfiivoly.” 

Thr? size and mnor of iito board 
facititnle its ehociivo operation. 

Tiverso opted for a three-rnembar 
hoard — Bobiick. Adams anej company 
CFO Dave Becker - with the option 
to expand up to live It's a Do,3rd that's 
geared for decisive action. 

•'Coltegiatity sttouid be the of 
me dny. qa should mutuol respect, ’ 
Adams says, "1 prefer odd numbers to 
even for obvious reasons, smaller to 
bigger. With small boards, you can 
make decisions cjuickly. Mtiny timos. 
there s no rocket actence involved. It's 
just a matter of getting the facts on 
the table, using good, sound judgment 
and pulling jhc irirjgor.” 


soncs has m cpci^priyihn with niagm. Lewis <8 Btu.kitts I i P. 


KEEP YOUR OlHECTORS UP TO SPEED 
"One of the things ti^at drives me 
ernzy about boards," Adams sa'y:.. 'is 
when you walk into a meeting and 
management 8pend.s the v/ncte time 
getting everybody up to the same 
infortnation level. Entrepreneurs need 
to keep overy'body up to .speed r,D 
directors start from a banc of common 
knowledge and actually perform work 
from there.'’ 

Tivetsa's board ineols bimonthly, 
bui the directors keep in touch on a 
daily bams, or very nearly so. 

"I couldn't wait tvjo tnonuis to say. 
’Here's vrhat's happttning,”* B'-Tback 
explains. "There are events occurring 
hero and nov/, and I r>ecd a decision 
loday." 

PUT YOUR BOARDS TO WORK 
You engaged your directors sind advif,- 
ers for their expoiiise. Deploy Utosyi 
assets by tusking your boitrds with 
specific mis-sions tailored to Ihoir tai- 
ents. 

"Some companies uso advi-nory 
boards as window dressing." Adam*; 
says. "The Interaction is minimal, and 
that type of board isn’t v^iorih much. 
Ttversa has been attic to goi its advis- 
ors to inUtract, trj padictpnto. Wh«.m 
they vrnlk out of n ooarci mewling, they 
fiave tn-do 'isLs, ” 

On the othor hand, netthor ytiu nor 
your board 'wants director.^ lo micro- 
manage the buiiineBS. Board-tnvet 
assigr>monts niake sense, bu! as 
Adams puts it: 

"if 1 have to be active In the opera- 
tions, there's a problem.’ o 
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riversa identiries Over 13 Million Breached inlernet Files in the Past Twelve 
iVioiuhs 

Ifvcrsd iotkiy anmit}iced fhe/ifidim^s of nc\i- research thai revealed 13.IS5.252 breached files 
.•ahiOiUiogfrom over 4,3lO,H3^ sources on P2Pfde~shariiig neos-ovks withia a hrelve nioafh 
pcriodjrofii March 01. 200S - March Of, 2009. This uov da!a clearly demous}rah‘S ihcii P2P 
flic-sharing risk is no! cffecilvidy being addressed by (he security profocols ufPonune 500 
Ciunpanies and government oaencics. as these organizations commonly have exposure across 
die Pxtended Enterprise. Tiveisn’s Jlndings aho hint at the enormity of the issue at hand. 

t laiihcrry Township, PA (PKWI-J.n Mny 28. 2009 •- Tiversn nulay anncnniccd )li<j iuKlhigs ol' new research lluii 
rcvctilcd i 3 J 85,252 hreachetJ Hies cmanminji Horn over 4.310,839 sunrees on P2P Ulc-sharirij* netssoi ks within 
u hveive rnonih peritn! front Mnttii 0!. 2008 - Marclt 01, 2009, 

I !ie lescareli is btiiJeci on dnin in an cntnoiitg sUuly by 'Piveisa. wliosc paienl-pcndinij (vchnology ntoniiors 
uninhK -ISO million ttsers issniiiy more than I.S billion searches a day. The files analy/cd inilmleU mdy those 
idt-'iitijceci on behalfor /Ivoniif-s exisnng cnsjonier base (Inriinj the 1 2 ntonih period. U'a also importnm to luitc 
fhiii the referenced Hies arc busine.ss <locumcnis only {.doc. .nIs. .pdf. .jist, etc), Music, software and movie files 
I. m i. .inov, .wma, .inpegd. .ntp.3. etet were not included in the study. 

t his new (lain clearly denionstrntcs lind P2P nic-.shnrinr* lisb is not elfective!)' being addressed by the seeiiril) 
protocols of fortune .500 companies and got ernmeni agencies, as these ori»atti^.nlioiw commoitly hns'e exposure 
acoKs the Hxlcnded Hntcrprisc, Tiversa's findings also hint at thecnonuity oftho Issue iii hand. 

”P2P filc-sharinji: presents a hrottd .spectrum risk toorganl/.atioiisofall shapes and si/cs. This is a Itori/tomn! 
issue occurring across ail verticals'’, says Robert Hoback. Tiversa (.’l-O. " The inforination being .shared aentss 
these networks is staggering. In n lyplcal da\ . Tiversa might sec t)ie ITotecied 1 Icnith Infoniuttion (IMII) oftens 
“ftiuni.sands being dise)t»sed by a Itospiia! or medical billing com)»am, tlie Pci'sonally klenliftnble Information 
t PH) c«f ait organization’s global w-orkforcc being exposed ihniiigh a third-party payroll provider tmd ti Ihirliinu 
5oi» company c.xpnslng corporate IP. such as pre-patent dociimeiitalian or e.xocuijvc board minutes." 

! ivorsa's iutc.si tvseurcli reitirorccs warjiings aired in recent ineiliu repurl.s, as well as. growing concerns voiced 
h\ t ttngres.s in nevv Icgl.slalit'c discu.vsions aimed at protecting consumers by iV£|Ufring stricter privttc) and 
weiirit) proccdmx's annind computcfi/ed data conmininu itersomil information (1 l.K. 2221 Data Aecouniubility 
and I rust .‘\ctk 

findings leJensed in 1-ehniary 2009. in n coUaboraiive mscarch study {Data Hemorrlmgcs in the 1 leallh-Care 
^vcior) between fiver. sa rnu) fhe 'J'nek School orilnsmesH at Dartmouth College higiilighi these snine risks b> 
inciJsijig on ihe exposure rale of sensitive data in the healthenre indiislrs . 

t >\ cr n iwo-week period, finrinunnh College rcsenrc(»er.s and flversa .semched nic-sharing networks lor kc) 
lerins nssocintod svrlh liie top ten (nildicly traded henllh care jirrn.s in llte country, and dise<wuic<l a treasure 
(love <d’.scn.siiivc documc/iis, I’ouiid was a .spreiidshco! from an AIDS clinic with 232 client names, including 
S.ieirt! Security tuimbcrs, midres.scs and blrth-<lntcs. Disciwered were dutabases for a hospital system that 
e.intaitscd deiaiied Inforntinion on more than 20.000 putienls, mchuling Social Security nmnbers. contnet 


• M el:j-.;ok;i - Aftnthcr loeLfoni PRWsy 



tit’falls. insunmcc records, aiKi cHagnosb inrornialiori. 


\{m> idciiiincd wns [i 1,718'pagedocumcnl from a medical lesung laboralory conlaitiing paiient Social Security 
(liiiiilicrs. itisornncc rfilbrnialion, and treatment codes for llioiisands oPpalicnts, as was 35flr megabytes ofclata 
ounprisiiig sensitive reports relniing to palienis of a group of ancsthcsioiogisls. 

in today's- o orltl of open coiiiinnnication, one of the greatest challenges privacy. Inibrination security ant,! risk 
nutitagctnem prolcssiotials lace is how to provide open and direct access to informalion while protecting 
>ci?siiive and c’onndcnlinl documents. Tivorsn has seen iniilians of individiiai records and sensitive files 
inad wncntly being shared by organizations, their agents, key suppliers, ttnd trusted partnervS. This type of 
Lonlldenliai informutioj) is comiiuiitig to be c.N|>o.sed and risks being used for competitive infelHgcnce. fraud, 
identity ihelt, medical klcnlity theft and criininfli gain. 

] is ersn provides P3P intelligence and Sccuritv .Services to corporntients, govcrtuiient agcncie.s and indiviiiuals 
h.iscd on patent pending iccitnologics (hat cun monitor over d50 million users issuing 1 .5 billion searches a day, 
Ruuiitirinu no .software or ImrcKvare, Tivcr.sn detects, locales tmd idciuiflcs exposed lile.s in real-time, while 
assisting in romedialion and prevention efftuls. 

t’or more inibrination on I'iversa. tlicir sointiojis or research, please contact them at (72^^) 940-9030 or visii 

■^duie. 

>Uiii 


P«>ca 2/3 

!t i chj I!!)\ e SHY aussions inlommion in thoso pros.? leisas^s pteas© c©rH©ct tfw cv«jptinr Ustoii in tho pros* rehmso CX-ir complotff (Mciamn/ 

ry . Pnweb ebooks . AnoMicf Qflliae.vi,Siliility.tOQlifaiQj?HWBb 
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Oiiliiu' Wt'h 2.0 S’crskiiJ 

^ miciin ro;ul ihc oiOim,' voisioii oi'ilOs prys.s releusy IWK. 


PfMje 3/3 
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BliKiniberg and Business W'cck's l>roblcmiiiic Wikil.eaks Slory : CJR 


I'lmc 


I of 4 


COLUMBIA 

JOURNALISM 

REVIEW 

i'rt.'j.'.s-. .Strong Democracy 


rr... y .-.(Oi idr.?.' W.! 

Bloomberg and BusinessWeek's Problematic WikiLeaks 
Story 

Rfld flags adulter as llie news oulfit runs with seriously questionable evidence 

FL/ CditUin 

l-low many red ilas« can wo count in diis Hhomhviy ihiHiiicss^W-rk pii.-ctt on VVikiLcaksV 
loi'.st Ihere's Ihu hesullinc: 

IsWikilealcs llnckm^ i‘or StJcroLs? 


}, tike ill)’ rolipig’ni; I^nirci) Kii’chnor, a real j)i-obk'm with qne.siion headlines, which seem 
In iias'c pmiirenilc'd in recent yeans. On ihe bright side, Ihoy'ro good leads for critics like us; It’s 
n sure sign that tlic reporter ean’l tinswer tho (juosiion and a possible .sign that thc\’ slmuldn't 
hare uritlen the piece in Ihe first place. In Ihi.s case it turns out lo be both. 

riio second red Hug is ilie suidied: 

internet seciivily company Tieersa .s;»ys Wikibeaks may be exploiting a Icature in 
pceV’to-peer llle-.sharing applications lo scarrh ibrckis-sifiod dtua 


“Intenuit .security ctnupatiy Ti^■er.sn says." huh? Who Ihe heck is Tiver.sa? Jt tun’t oxaelly McAfee 
or uiitiie^'cr. 

.Moi c impmianliy, an Internet security cjunpany has an incentive to pilch stories that make it 
seem like Internet security is really, rcuiliy bath Thiit way you'll buy tlieir .services. I krc's hmv 
Tb'L'rsn descni)e.s what it does; 


llUJ>://sv^v\v,vir.o^■gAht\ audii/bloomlKrg_andJni8lnu.sswccks_pr.php?pngc“aU&f)rini=irue 7/14/201 1 
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Bloomberg and BusinessWeek's Problematic WikiLeaks Story : CJR 


Page 2 of 4 


Tlversa provides PaP Intelligence and Security services to corporations, ^ 

; government agencies and individuals based on patented technologies that can j 

I monitor over 500 million users issuing 1.6 billion searches a day. I 


The third flag is all the weasel words in the key paragraph explaining the "evidence” (emphasis 
is mine): 

Except that WikiLeaks, according to Internet security company Tiversa, appears j 

to have hunted down that military document itself. Tiversa says the group may 
have exploited a feature of file-sharing applications such as UmeWire and Kazaa | 

that are often used to swap pirated copies of movies and music for free. If, for i 

j example, a Pentagon employee were to log on to such a peer-to-peer network (an | 

array of disparate computers with no central hub) to download a movie, he could 
posslblyexposeeveiy last e-maii and spreadsheet on his PC to piying eyes. That’s 
j becausesomepeer-to-peer, or P 2 P, applications may scan users’ hard drives for 
I shareable flies. Not turning that feature off, or specifying which parts of the hard 
drive maybe searched, leaves the door wide open. 


Hmm. So a PaP security company says Wlldleaks “appears to have” hacked into militaiy 
computers and “may have" used PaP to do it What’s wrong with this picture? 

And BBW (the story originally ran at Bloomberg) continues on with its reckless speculation via 
weasel word; 


The possibili^ that the site Is systematically ransacking computers may 
offer prosecutors an alternate path to get the group and its founder into a 
U.S. courtroom. 


Neatly enough for Tiversa, SaWeek plays along with the cloak and dagger stuff: 


I To conduct a massive search of networks around the world, huge amounts of j 

computing horsepower and bandwidth are required. i 

Tiversa has plenty ofbotb. In a secure room at the company's headquarters in ’ 
Cranbeny Township, Fa., banks of servers create a minute-by-minute mop of what j 

I is effectively a global treasure trove of secrets. In a brief demonstration of whafs j 

out there for the taking, a Tiversa analyst laps a few keys, and up pops the cell 
phone number of actress Lucy Uu along with the pseudonym she uses to check into 
hotels— attached to a production company document clearly labeled ‘kiot to be j 

made public.” There are several draft chapters of a book by white supremacist 
David Duke, as well as a spreadsheet of all the donors to his cause. Assange has told j 
i interviewers that his group has damaging information on pharmaceutical, energy, | 


http://vwvw.cjr.org/the_audit/bloomber^and_businessweeks_pr.php?page“alI&print=true 7/14/2011 
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liloomhcrg and J^usincs.sWcck'.s l^rohlemaiic WikiLeaks Siory : CMU 


I^ugc 3 (d' 


and financial ctnnpanius; n‘i\^ci‘su CKO Robert) Uoback confirms Ihat conilduniial 
corpuraio dueumaiUs arc readily accessible. 


Cut lo PR executives high-fiviiig. 

I’uarlh red flag: It’s essentially a one-source .sl<ny. I lei^s the evidence Rlotjniherg prescnls as' if 

il’s fact (you’ll .sec below that it’s not)’ 

In the in!S.sik'-rangc case, 'i'ivevsn’s systems nolimi iimusual activity coming (Voni a 
cluskTof computers in Sweden, \vhei*e imlil l>{rcembcr Wikil^stks had some of its 
key seiver.s. ’Djc cluster wn.s furiously searching PuP nclwtirks around the world. It 
hit pay dirt in the fortn of a flic blandly labeled PPL, HI. pdf, available for download 
frtan a computer in Hawaii, '(’he Swedish compnlers d<nvnloadt;d the document, 
and t^s•« months later it was posted on VVikiI.eaks. 

K.\eculivi>s at Tiversa, which i.s hired by governmeiUs mid corporations to use the 
same hmpholr to firul cxpo.sod document.s and figure <uil who might be acce.ssing 
liicm, say the Mtiwuii incident wii.sii'i an isolated case. It.s technology has detected 
the m)'stcri(fus Swcdisli computers ilownloading gigabyte.s of data, much of wind) 
soon appeared on VVikiUsiks. "VVikiU-aks is doing searches them.selves (jn file- 
sharing nohvork.s," says l<obc.rl fiohack, Tiversa’s chief executive officer. *’ It wmikl 
be highly unlikely that someone eksi? from Sweden is i.ssuing those same lyi>es of 
.searches resulting in that .same type of information. ’ 


'Phe fifth sorta-kitida red flag (once you've .seen two or three in one piece, it's good to start 
su.spccUngevcrylhitig in it) istluit iwoof'I'ivorsn’satlvi.sors have awfully light lies to the U.S. 
militaiy and federal government. Wesley Clark, the former NATO commander and four-star 
gcticnd, is nn iuh’isor as i.s Howard Schiindt. who wovkoii for the feds for three doeadCvS. Here’s 
Ihc latter’s bio: 

He retired from the While House after :ii years of public sendee in local and federal 
gfjvernnient including the Air Force onice of Special Investigations and the l’'Bl 
National Drug Inleillgcnce Center. Me was apjxMaled by Provident lUish as the Vice 
Ciuiirof the President s Criliciil Infra.slrudurc Protection Buanl and a.s the Special 
Advi.ser for Cyberspace .Security for the White Mouse in December 2001 , 

This piece raised questions from Forfjc.s’s ,\ndy urcenberg, too. and he i^eat me lo it by more 
limn two wcck.s. It’s .some excellent blogging. 

Sure enough, Greenberg confirms thnl 'rivcrsa U working for (he U.S. government, wliich is 
Wikilcak’s sworn enemy, and lie blow.*; apart ftloomburg’.s piece with t his reporting: 


htip:/Av«w'.cJr.org/!he_ audii/bloonibergjmd__busine.ssweeksj’sr.pi>p'?page~all&.pri!n-iruc 7/id/2(n 
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Bloomberg and BusinessWeek's Problematic WikiLeaks Story : CJR 


Page 4 of 4 


In fact, in a phone interview with me today, Boback sounded distinctly less sure of 
his firm's deductions than he did in the Bloomberg piece. “What we saw were 
people who were searching [computers connected to filesharing networks] for .xls, 
■doc, .pdf, and searching for those generic terms over and over again,” says Boback. 
They had multiple Swedish IPs. Can I say that those are WikiLeaks? 1 can’t. But we 
can track the downloads of people doing that, and a short time after those files were 
downloaded, they’re listed on WikiLeaks." 

Boback, who says he’s working vrith a U.S. government investigation into possible 
peer-to-peer sources for WikiLeaks, says that he saw downloads of documents that 
later were posted to WikiLeaks from other countries too, both “in the U.S. and 
across Europe." "Many of the searches are in Sweden, many are outside,” adds 
Boback. “It’s hard for us to say that any IP address was WikiLeaks. 


Ayy. 

Aitd then there's the Occam’s Razor thing, which should have raised some questions from 
editors somewhere along the way: 

Still, WikiLeaks' latest bombshells, like the military documents and State 
Department cables allegedly leaked by Bradley Manning and the upcoming list of 
tax-sheltered Julius Boer clients in Switzerland, seem to have been the product of 
traditional whistleblowing, not hacking. Part of what has made WikiLeaks so much 
more effective than traditional hacking efforts, after ail, is that whistleblowers with 
privileged accounts within computer networks are a far more efficient source of 
embarrassing data than hacking techniques such as random searches of filesharing 
networks. As Assange reminded me when we spoke in November: "Insiders know 
where the bodies are." 


The unfortunate bottom line is that it seems the press feels freer to go aggressively after enemies 
of the state, even if they’re helping it do its job iaformlng the people about what their state Is 
doing in their name. 

Would this kind of journalism have passed the smell test if it weren’t about Wiklleaks? I highly 
doubt It. 

Bloomberg and BusinessWeek shouldn't have run with this one. It looks for all the world that 
th^f may (to borrow a word) have published a smear. 


http,-//www.cjr.otg/the_auditft)loomberg_and_businessweeks_pr.php^age“all&prinf=ttue 7/1 4/201 1 
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VIA Fod«ral Expma 

Michael i. Oau^tty 
LabMD, tne. 

2030 Power Fenya Road 
Bids. 500, Suite 520 
Atlanta, QA 30339 


DeerMr.Daueherty; 

As I discussed today with Mr. Boyle, the sufTorihe Federal Trade Comroisdon 
("Commission") la conducting a non-puUle inquliy into LabMD, Inc. 'a compliance with Tederal 
law governing infontiailoo security. Aecoidbtg to Infomiation we have received, a computer file 
(or files) ftoni your eomputer neiworit is available to users on a peeivto<peer file sharing ('‘P2P'’} 
neiwoiit (herdnafler, '‘P2P breach”).' Hie file (or files) contains sensitive information about 
consumers and/or employees that could be used to eommll Identity theft or ftaud or cause other 
types orhatms to consumers and/or employees.’ 

Section 5 of the FTC Act prohibits deceptive or unfair acts or pmetlees, such as 
mlsrsprasentaticns about privacy end security and practices that osuse substamlal Injury to 


' P2P networks are created when users install compatible peer^o^ieer file sharing 
eigiliealions on personal computers in homes and businesses. The appllcstlons link these 
eompuera togefoer and esn be used to share files between the computers. Once a file has been 
shaiKl, the original source of the file cannot remove the file from the P2P networits or contral 
access to It by other users on the networks. 

For bifotmallon about leourity conoemt raised by the use of peer-to>peer file sharing 
epplicaltons and possibfe responses to them, see the esolosed Ptar-ta-Pear Flla Sharing: A 
aultk For Bialnait, www.fte.gov/bce/edu/BubsfliHslnaa8/ldlhBlt Aius46.riitm . 


’ One such file is ln.wrarteiuigtngjf,OS,07i, 
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consumen,^ Accoidingly, we seek to deiennine wkelher your liandling orsensltlve lofomBilon 
ftom or about consumers and/or employees raises any Issues under Section S. 

We Invite you to meet with us in our Washington, D.C, office to disoon this matter, or to 
discuss this matter with us by teit^hone. If possible, we would tike to meet during the week of 
March 8, 2010. In mivonce of the meeting, we request that you provide us with Uw Infonnation 
ant doeiunenis li«ed below Pebnuay 22^ 2010. Please itol ilree u> submit any oddltionnl 

infonnation you believe would be NIpfbl to the Comntlsslon’s understanding of this matter. 

Any raaterlals you submit In response to this request, end any additiomd Information that you 
mark "Conildantlal,” will be gitmn eonfidential treatment,^ 

In preparing your reqmnse: 

• Please provide all responsive documents in the possession, custody, or control of 
LahMD, and Its parents, ownen, subsidiaries, divisions, affiliates, brenches, Joint 
ventuma, and agents (collectively, "LabMO", “you,'* or “your”), 

• Please submit complete copies of alt documents requested, even If you deem only 
part of a document to be responsive. 

• Responses to each request should describe In detail each material change or 
update that hai been made thet coneenu, refers, or relates to the request, os well 
as the date the change or update was implemented and the reosonfs) Air the 
change or update. 

• Please number each page ofyour response by Bates stamp or otherwise, and 
itemia your response according to the numbered paragmphs In this letter. 

• If any document is undated, please Indicate in your response the stamped page 
numbers of the document the date on which you prepared or received It. 

• Ifyou do not have documents that ore rasponalve to a particular request, please 
submit a written statement in response. If a documerU provides only a psitiai 
nispoiue, please submil a wriilen staiemanl which, together wllb Iha doouRMnl, 
provides a oomptele response. 

• Ifyou decide lo withhold re^onslve material for ai^ reason. Including an 
applicable privilege or Judicial order, please notiiy us before the date set for 


> 15U.S,C.§4S<««<g. 

* The Commission's procedures coneeming public disclosure and conAdenlial treatment 
can be found at I S U.S.C. §{4b(0 and 57b-2, and at Commission Rules 4, 1 0 . 4. 1 1 (1 6 C.F.R. 
§54.IO>4,n). 


• 2 - 
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responding lo this request and submit a list of the Items withheld and the reasom 
for withholding each. 

• Please do not submit documents that contain any individual consumer's or 
employee's date of birth, Social Security numW, driver's license or other 
l»rsonal itfentiflcation number, llnindal account inrormnlion, or medical 
infomtatloo. iryou have lespt^ ve doaimants that Include such Information, 
please redact the infomution before providing the documents. 

• We miy seek additional Information ftom you at a later time. Acctndingly, you 
must retain all relevant records, documents, and raalerlata (not only the 
Information requested below, but alto any other Inlbimotion that coneems, 
reflects, or reltfes to this matter, ittsluding flies and Information stored 
electronically, whether on computers, computer disks and tapes, or otherwise) 
witll the flnei dlsposltloo of this inquiry or until the Commission determines that 
retention Is no longer neeetsaiy.* This request Is not subject to the Paperwork 
Reduction Act of 1980, 44 US.C. $ 3S12, 

' A responsible corporate officer or mansger of LabMD shall sign the responses 

and certify that the documents produced and responses given are complete and 
Bceurate. 

• For purposes of this letter, (he teim "personal {nformation’' means Indlvlduslly 
identifiable informetion ftom or nbout an Individual consumer, Including, but not 
limited to: (a) (ini and last neme: (b) home or other pbysicad address, ineluding 
street name and name of city or town,' (e) emnl) address or other online contact 
Information, such as an Instant roestigliig user Identifier or a screen name; (d) 
telephone number, (e) date of birth; (5sovernmeni>is8ued Identlfkation number, 
such na a driver's littnse, military i(Mncation, passport, or Social Seewity 
number, or other personal Identlflestlon number, (g) linancla) Informstion, 
including but not limited to: Inveatmeitt sccounl Information; income tax 
Infoimation; tnsuraneo policy infoimBtion', oheckfng aoeouni information: and 
credit, debit, nndfor eh^'cuhlng card Information, including card number, 
expiration date, security number (eudi at card verineatlon value), information 
stored on the magaetie iitipe ofihs esrd, and personal identification numben (h) 
health Infomuiloa, including, but not limited to: prescription raedlentltm and 
dosage; prescribing physieisn name, addreu, and telephone number; lusalth 
insurer name, and Insunince eccount and policy numbers; and medical condition 
or diagnosis; (I) employment Information, Including, but not limited to, Income, 
employment, retirement, disability, and medical records; ({) a persistent ideotifier, 
such as a customer number held In a "eookfo” or proceeeor serial number, that Is 


* ndlure to reuiin documents that may be relevant to this mailer may result (n olvU or 
criminal liability. 15 U.S.C, g 50. 


- 3 - 
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combined with other ayalUUe data that identiffes an individual coniumet; or (k) 
any information flom or idiout an iitdlvidua! consumer that is combined with any 
or<a) through 0) above. For the pur|»se of this dailnlilon, an Inditddual 
ccmsunvor iimitaie an “employee”, and ‘‘ompiotve" shall mean an ag^t, 

ituvanl, soiesporaon, associate, Indepei^em crmlractor, or odier pcntmt directly or 
indirectly under your eontiol. 

REQUESTS FOR DOCUMENTS AND INFORMATION 

Please provMe the documents and inrontnailon Identined below.* Unlns otherwise 

Indicated, the time peiiod covered by these requesu is flom Januity 1, 2007 thioui^ die date of 

Rill mid eomplait production of the documents snd Inlbrmation requested. 

Genera! Inronaatlon 

1 . identiiy the coitipteie legal name of LabMD and all other names under which it thies. or 
has done, business, Its corporate mailing address, and the dale and s»te of inasipomtion. 

2. Identic and describe LabMO’s parenli, subsidiaries (whether wholly or pantally owned], 
divirions (whcUier incorporated or not), alTIItates, branches, joint ventures, frenchises, 
opemtions under assumed names, snd entillea over which it exeicisea aupervlsion or 
control. For each such entity, describe in detail the nature of its relationship to LibMD. 

3. Identiiy each individual or entity having anownstship interest in UihMD, os until os their 
individual ownership stokes and their positions and responsibilities within LabMD. 

4. Provide documents sufneleni to describe your business in detail. The response should 
Identify ond deseribo: each product and service you oflbr; each location (toth online em) 
offline) throngh which you offer tuob products and services; and, annually, your tevenea, 
number of employees, and number of eustomen. 

Personal Infarmalion 

5. Provide doeuments that describe in detail the types of personal Inlbimnllon you collect. 


‘ For purposes of thb letter: the word “any” shall be constnied to Include the word “ril," 
and the word “tdl” shall be construed to include the word "any;" the word “ori‘ shalt be eonsuued 
to itmittde the went “and,” and the word “and" shall ba coiutived to include the word “or;" the 
irard “eaoh” shall be constnied to include the wotd “every,” and the word “every" riiali be 
constroed to include the word “each;" and the lam “dooumeni" means any pracxiulng written or 
pictorial material of any kbid, regardless of tha medium In which such material wosereaied, and 
regardless of the method which it b stored (o.g., eomputer fib, computer disk or tape, 

micrenche, etc.). 
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obtain, store, m^ntaln, precess, transmit, handle, or otherwise use (eoUectlvely, *^11001 
and more") in conduotins your business, how and where you collect and store die 
infirnnatlon, and how you use the Infomwtion, The response should Include, but not be 
limited to: doeuments atfndent to identlQr the lype(s) of personal infremstion you 
collect and store, the »>ttrec(s) of each su^ ty|» of Infonuation (such as consumers, 
mnployees, medical providers, healthcare plans, and insurance companies), and the 
manner by which you collect or obtain tho inibrmation (sudi as by paper documents or 
deeirodbally Ihough a website); and documeMs or a nanatlvc dtat describe bi detail how 
you use each type of infonnatlon In eonduotlng your business, 

Security IVaollees 

d. Identic by name, location, and operating system each computer ndworic that you ise 
directly or indirectly to eoiiect arid store personal infbtnuiloi^ and provide for eadi such 
networiu 

(a) a bigb-ieve! dlsgrant (or diBgrBms)(hatsets out tha components of the netnmlt 
and a narrative that deiorlbes the oomponenit in detdl and explains their 
ilmcUons end bow they operate together on the network. The description ofihe 
netwwtk components should identity and locate (within the network): oompumn; 
servers; fliewalls; routers; faiiemet, private Una. and other connections; 
oonnectlons to other tnlernal and externnl network; virtual private natworka; 
remom access equipment (such as wirdets access points); websites: and security 
mcchsfllsmi and devices (such as intrusion detection systems). In responding, 
please feel free to use biueprinu end diagrams that set out bi detail the 
oimponenis, topology, and erchiieoture of the network; 

(b) documents sufiicieni to identlQ^ each computer, server, or other device where you 
collect and store personal inlbmullon and, fbr each su^ computer, server, or 
device, each program, application, or other means (collecUvely, "databases") useo' 
to collect snd store personal infonnadon; and 

(0) documents that coneem, relate, or refer to each database identified in the nuqmnse 

to Request 6 (b), fnciudbis; bui not Ilnittsd lot operating roanuati; user guides; 
eommunteatlona with database vendors; database aohmtea, diagrams, mid/or 
blueprints (including table and field nsmes); and documents sulRebmt m Identify 
the length of tiore for which you matntein personal Information in the databue. 

7 . Provide doeumeiUs or a narrative that describe In detail the flow path of personal 

infbrmalion over each network identified in reqionse to Request 6 , including the initial 
collection point for personal information (such as a website), the entry and exhpolou to 
and from the network, and all Intermediate points within the network, 

9 . Provjifo dooumeiXs auffioleni to idenlliy the policies, procedures, and ptaotioes you have 
loed on each networit identify in the response to R^nem 6 to prevetU unaulhotized 
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acesw to penonal Information collected and stored on the nelwotfc, as well as the time 
period during which such policies, procedures, and pmctices were written and 
Implemented. The response should Include, but not be limited to, documents that 
concern, reflect, or relate to: controls on dir^ or remote access to personal Informatitm 
{such es a ffrewall policy or a password polity); controls on accessing and/br 
downloading personal information without auftorization', the tiferyote of personal 
Information, including maintaining, storing, uring, and/or deatioyirig the Informationi 
eonlrota on Iho installation of programs orappileatloru on computera or work slatioiu on 
the netwruk by mp\oy»e» or olh^, IbniU on tho transmission of personal information 
trithin the networic and between the network and other internal or external) networks; 
logging network aetlvi^ and reviewing the logs; secure application and website 
devdopmeiit; employee training; and plans for responding to seemity Incidents. 

9. Poreardi networic Ideatifled in tbe response to Request d, {ixovlde documents that 
deseriba In detail each seourity policy, proeedute, preotlee, control, defonse, or other 
measure (eolltetively, "seourity practice") used on the network. The response should 
include, but not be limited to: 

(a) all documents that concern, reflect, or iriate to each security practice. Including, 
but not limited to, {nacticas to oonfrol the instellation end/or UM of P2P programs 
(whether suoh programs ars authnisad or not); 

(b) documents that set out the technical oonflguratlons of dsviocs and programs you 
use to enforce each seeurity practice, Including, but not limited to, the 
configurations of firewalls or other means used to control or block P2P 
communications to and from the network and networks that connect to It; 

(0) training or security awareness materials provided to network users (such as 
employees and lhiid«pariy persons and entitles adtb access to the network) 
regjuding your security practices, such as materials that concern security 
generally or Ifao use of and rirics preunled by P2P programs; 

(d) documents that set out the flequenoy and extent to which such network users 
leeeive training orseeuri^ awareness materials generally and as lo the use of and 
risks presented by P2P pragtanur, 

(e) documents sufflolent to Identify ly name and title each employee who Is, or has 
been, rasportsible for coordinating security practices on the network, and to 
describe the responsibilities of each such employee; 

(0 doounaenti sufliclent to Irbntify whether and, if so, when you conducted ot 

obtained (ftom another petsen or entity) a riak asseawnent to Identify risks lo foe 
seeurity. Integrity, and confidentiality of personal Information on foe network; 

(1) all documents that concern, reflect, or relate to tasting, monitoring, and/or 
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evslu^ons of the efTeeilveness of security pncUces UKd oo the network, 

^ ineluriing the dates when nioh leii vitles were oomiuoted and completed end plans 
' and procmiuies Ibr ftitute testing, monitoring, and/or evdu^on of security 
pmclioee; and 

(h) dwnimsnts that set out in detail all changes made m seowi^ piaolices on the 

networic based upon testing, monitoring, and/oi avaluatlons identiiled In tha 
response to Request 9 {b}, 

10. Provide att doouments IhM ooneem, icfleol, or mtate to riric assesanent Identlfled In 

the responn to Request 9(0 and die aeourity risks identified therein, Iffuiy. For each 
such assessment, rite response should Include, but not be limited to: 

(a) doouments sufliclent to identify the date of the assessment and the name and tftte 
oflhe psrson(a} responsible for conducting the assessment; 

(b) acopyoftheessessreent; 

(c) tfooiments that describe In detail tha st^s taken in conducting the assessm^l; 

(d) documents that concern, reflect, or relate to spedflc risks Identified In the 
assessmem and how you addressed each such risk; and 

(e) a copy of each (internal or exteroal) report or other document that verifies, 
oonflnna, eheilenges, questions, or otherwise eonoerns the essssamenl. 

i I . Provide documents sufRcicnt to identic each third'party person or entity that, In the 
course of providing services to you C'senrice provider**), receives, maintains, processes, 
or otherwise is pemitted access to personal infomtation collected and stored by you, 

12. For each service provider identlfled In the response to Request 1 1 , provide: 

(a) documents luffleient to identify the types of personal information to which the 
8er>dce provider has aeeeaa; 

(b) doouments sufRcient to desoriba the manner and fonn of the service provider's 
access to ptrtonid Infbmtatlon (such as phyaica) aceeas to your ofHeea, trnnoie 
ac^aa to your computer netwm^s), or the mailing of paper documents or 
computer storage r^Is); 

(o) a narrative that contains in detail the buelneae reasons why the service provider 
has access to such Infbrouilon; 

(d) copies of ell coniraels between you and the service provider; 
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(«} documents timi describe in detail the measures you took to select end ntala the 
eervioe provider to eaniie that it Is capable of ^propriately ]»<oteotinB personal 
Infimnalfonyott bww provided or made available to the serrioe provider; and 

(0 docunumti that describe in detail howyou monitor the service provider to 

oonflim that it has implemented and maintained aecuriiy measnres adequate to 
protect tiw seourlty, Integrity, and oonildmittelity of aut^ personal information. 

Other Information 

13. footdde doeunents suiRoint to Identify any instance of which you are aware {Including, 
Ifapproprlat^ the P2P breach) where personal information Ihim a network identiiioi in 
the response to Request 6 was or mny have been shared or accessed without authorisation 
(foe "intrusion"}) end, for each such intrusion, Identify when and howyou fosi foamed 
about foe intrusion, tin networfc(s) involved, and ell persona with fcnqwtedge about it. 

14. Sq^tdy fm each intrusion Identified in foe rosponse to Request 13, provide all 
doiatments prepared by or for you that Identify, describe, investigate, evajuate, or assess: 

(a) bowlhaintruakmocouiTBd: 

fo) foe time period over which It oeouned; 

(e) foe security vulnerabilities that were ormuy have been exploited in foe intrusion; 

(d) thoBotual or suspected point of entry; 

(e) the path foe intruder followed Rom foe (aotusl or suspected) point of entry to the 
location of the paisonel Information that was ormay have been compromised end 
then in exporting or downloading foe bifermation (inoluding all intermediate 
pointt); 

(f) the type(s) and amounts) of personal Information that was or may have been 
accessed without aaihorizatton; end 

(g) foe seouriiy measures you Imptemaoted in response to foe intrusion. 

' Responsive docufflenls should biotude, but not bo limited to; preihninaiy, interim, dtafo 
end final reports foat describe, assess, evaluate, or lest security vulneiBbilitfos foal were 
or could have been asploiled in the intrurion; (formal and infoimai) seoiriqr audita or 
fonorio analyses of the intnulon prepared imemally and by third i^es; security scant 
(such as fin- ^okei capture tools, password harvesting tools, rootidts, P2P ptogiraita, and 
urunfoioiised programs); incident repcits; dooumenta that idendfy foe intr^er; logs that 
record foe tntnnfor’a steps in whole or p^ in condueting the intrusion; wamlnsa Issued 
by antl'vliu^ Intrusion ^teeiion, or oiber security measures; leeaids of roviewi by 
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netwak admioistrelon or othere of lop and waminp; records setting out the routine 
sccuilQ^ eeltvltles uid diedclists performed fay network edminlstrators (suoh es vending 
that scheduled Jobs were aulhorized); and other doeuraems that concern, refteot, or relate 
to the intrusion, such es minutes or notes of meetinp attended by you or your employees. 

IS. Separately foreaeh Intrusion Idetilifled In the response to Request 13 Ibai wss 

aeeomplhriied or llioilltated hy a P2P program and for the P2F biMeh if not idmtified in 
the response to Request t3 ("collectively, "PIP intmsion"), identic etch P2P proftam 
Onetuding version number and upgrade) that was, or may have bees, used in any way In 
the intnuTon. Poreaoh suoh program: 

(a) identify: the mtnu&oturer, model, fyps, operating ayatem, end network ioeetion 
of eieh computer ot other electronic device on which the P2P program was 
installed {collectively, the "breach eomputeini the source ftom which Ihe 
program wss downloaded to the Ineacb computer; when end fay whom the 
program was downioaded and installed on Ito brrach computer; when Ihe 
program was removed from the breach computer; how long the program w^ 
active on the computer, whether die default settings on the prc^aro were changed 
after It was installed on the breach computer, end, if so, whrni, iy whom, and in 
what wqrs; and whether you authorized Ihe Installation and use of die program on 
the farced computer, 

(fa) explain in detail your business need for using Ihe progratn, if any, and Identify 
who was using the program and why thsy were using It; 

(c) explain in delnil all limitations you placed on use of the program. Including 
se^ty praotiees; and 

(d) provide a copy of each ftle generated as a result of Installing the program on Ihe 
breach computer, including, but not limited to, executable, history, and 
coniiguratlon flies. 

15, Separately for each P2P lotruslon; 

(a) provide all togs, audits, assessments, or reports that concern, reflect, or relate to 
the intrusion; 

(b) identify the mme of each folder and subfolder that was shrued (uploaded or 
downl^ed) through the intrusion, the name (Ineiuding file extendon) and 
content of each internal and external flia (other then a purely music or video file) 
(hat was ahaied, end the amount and type of personal information In each file that 
was shared; and 

( 0 ) describe In derail each folder, subfolder, file, and/or program (Including 
ftuietionellty} that was shared through the tnbuslon. 
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17. Separuely for raeh Intrusion identifled In the response to Request 13, provide all 
doetunents that concern, lelil^ w refer (o ftsad wsl^or Identic Itoft atlribmabte to the 
Intrusion and to the ceiuKquenets of the IVaud or idertlity theft. Responsive documents 
should Incitris, bti not be limited to: 

(a) ftaud reports, alerts, or warnings issued by bank assoelalions, banks, or other 
errtities; documeois that assess, Idenll^, evaluate, estimate, orpredto the number 
of consurtars or em]doym thm have, or are likely to, suffer ftaud or identity 
theft; elalnis mide against you for ftaud or idemiiy (heft, such as fay afilAtvIts 
filed fay consumers or employees: end documents timt assess, identify, evaluate, 
estimate, or predict the dollar amount of fttaad, identity thafl, orotbsr costs (such 
as forincremmd ftaud monitoring or providing ftaud Insurance) attHbutable to the 
intrusion; 

(b) documenls that concern, reftcol, or relate to invatigations of or complaints Hied 
vdth Of aplnst you teladng to the intrusion, bioluding, but not limited to, private 
lawsuits, correspondence with you, and documents filed with Federal, Si^or 
local government agencies, Fcderet or State courts, and Bmter Businera Bureaur, 
and 

(c) documetrts or i namtive that identifies how (such as public enttouncement or 
individual breach nolificatioa letter], when, how many, and by whom conmtiners 
and/or employees were notified that their peiaonal infintnatlon was or may have 
been obtnlned without authorization Ihmugh the Intrusion. If notification has 
been mode, explain why notification was mada (e.g., compelled by Isw) and 
pnovide a copy of each substantively different nollficatJon. If notification was not 
provided at soon as you became aware of the intrusion or was not provided to all 
affected consumers and/or employees or at all, provide a narrative explsining why 
tut. 

i 8. Provide documents sufficient to identify nil policies, ctsbns, and stetemente you have 

made regerdlng the collection, disefosure, use, storage, destiuetion, and proteeiion of 
personal information, fncludlng any policies, claims, or statements reiallng lo how jou 
teeutt personal inibmtsllon, and fhr each such policy, olalm, or statement identify the 
datefs) when it was adopted or made, to whom it waa distributed, and all means by which 
il was distributed. 

Please send all documents and information to; Aioin Sheer, Division ofFrivs^ and 
Identity Protection, Federal Trade Commission, 600 Pennsylvania Avo., NW, Mail Slop Nl» 
8122, Washington, D.C. 20580. Due to extensive delays resulting ftom security measures taken 
to ensure the safety of items sent via the U J. Postal Service, we would iqiprodate receiving 
ihese materials via Fmleral Express or a similar deilveiy service provider, if possible, 

Thank you for your prompt attention to this matter. Pleese swntaoi me (m 202 J26,332 1} 
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iryou have any que^lons about this request or need any additional Inrormailon.’ 


Sincerely, 



Alabt Sheer 

Division orPrtt«^ and Identity Protection 


^ The Commission has a (ongstanding commitment to a fhir regulatory earorcement 
environment. Ifyou are a small business (under Small Outness Administmtion alandaids). you 
have a riiht to conlaei the Small Business Administration's National Ombudsman at l•88^ 
REOFAIR (1>888*734»3247) or www.sha 4 |ov/affibudBnan regaitUng the lUmess of the 
compliance and eidbreemcnt activities ofthe egeney. You should understand, however, that the 
National Ombudsman cannot change, atop, or delay a Ibderal agency enfbrcement action. The 
Commission stiicily tbrbids lelallatory ecu by Its employees, end you wdll not be penaittsed for 
expiessii^ a eoneetit about these aetivitles. 
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Dissenting Statement of Commissioner J. Thomas Rosch 
Petitions of LabMD, Inc. and Michael J. Daugherty 
to Limit or Quash the Civil Investigative Demands 

FTC File No. 1023099 
June21,20)2 

I dissent from the Commission’s vote alTirming Commissioner Brill’s letter decision, 
dated April 20, 2012, that denied the petitions of LabMD, Inc. and Michael J. Daugherty to limit 
or quash the civil investigative demands. 

1 generally agree with Commissioner Brill’s decision to enforce the document requests 
and interrogatories, and to allow investigational hearings to proceed. As she has concluded, 
further discovery may establish that there is indeed reason to believe there is Section 5 liability 
regarding petitioners’ security failings independent of the “1 ,7 1 8 File” (the 1 ,7! 8 page 
spreadsheet containing sensitive personally identifiable information regarding approximately 
9,000 patients) that was originally discovered through the efforts of Dartmouth Professor M. Eric 
Johnson and Tiversa, Inc. In my view, however, as a matter of prosecutorial discretion under the 
unique circumstances posed by this investigation, the CIDs should be limited. Accordingly, 
without reaching the merits of petitioners’ legal claims, I do not agree that staff should further 
inquire -either by document request, interrogatory, or investigational hearing - about the 1,718 
File. 

Specifically, I am concerned that Tiversa is more than an ordinary witness, informant, or 
“whistle-blower.” It is a commercial entity that has a financial interest in intentionally exposing 
and capturing sensitive files on computer networks, and a business model of offering its services 
to help organizations protect against similar infiltrations. Indeed, in the instant matter, an 
argument has been raised that Tiversa used its robust, patented peer-to-peer monitoring 
technology to retrieve the 1,718 File, and then repeatedly solicited LabMD, offering 
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investigative and remediation services regarding the breach, long before Commission staff 
contacted LabMD. In my view, while there appears to be nothing per se unlawful about this 
evidence, the Commission should avoid even the appearance of bias or impropriety by not 
relying on such evidence or information in this investigation. 
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FTC Files Ccnpl^ni Against L^^DfwFaHing to PnaectCocBumefS’ Privacy] Foderal TrjKioCommissicn 



100 YEARS 


FTC Files Complaint Against LabMD for Failing to 
Protect Consumers' Privacy 

Commission Alleges Exposure of IViedical and Other Sensitive information Over 
Peer-to-Peer Network 

: ' '.m : V 

August 29. 2013 

TAGS; Healthcare ! Health Professional SerMces | Bureau of Consumer Protection j Consumer Protection ! 
Privacy atid Security j Consunier Privacy ( Data Security ! Health 

The Federal Trade Commission filed a complaint against medical testing laboratory LabMD. Inc. alleging that the 
conipany failed to reasonably pratect the security of consumers' personal data, Including medical information. 

Hie complaint alleges that in two separate incidents, LabMD collectisely exposed the personal information of 
approximately 10,000 consumers. 

Tlie complaint alleges that LabMD billing information for over 9,000 consumers was found on a peor«to*peer (P2P) 
file-sharing network and then, in 2012, LabMD documents containing sensitive personal information of at least 
500 consumers were found in the hands of identity thieves. 

The case is pari of an ongoing elTort by the Commission to ensure that companies take reasonable and 
appropriate measures to protect consumers' personal data. 

LabMD conducts laboratory tests on samples that physicians obtain from consumers and then provide to the 
company for testing. The company, which is based in Atlanta, performs medical testing for consumers around 
the country. The Commission's complaint alleges that LabMD failed to take reasonable and appropriate 
measures to prevent unauthorized disclosure of sensitive consumer data - including health information - it held. 
Among other things, the compialnl alleges that the company; 

did not implement or maintain a comprehensive data security program to protect this infomiation; 
did not use readily available measures to identify commonly known or reasonably foreseeable security 
risks and wilnorabilities to this informallon; 

did not use adequate measures to prevent emfrfoyees from accessing personal information not needed to 
perform their jobs; 


ti!lp;V'Av,*.v,(!cgoVnf;-AG-ew.H'ils/pfe8s-r0ioa$«;;2O'ia'Oe/flc-fiteS'Con^)r^nt'a0anst-lf«5m3-fa!Hnj}-protecVaxisiiABrs 
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FTC Filas Aijasisl l^^vID fcr Falirg ^Pfac^Comunws' Privacy | Federal Trade Cwnnssicn 

did not adequately train employees on basic security practices; and 

did not use readily available measures to prevent and detect unauthorized access (o personal information. 


The complaint alleges that a LabMD spreadsheet containing insurance billing information was found on a P2P 
network. The spreadsheei contained sensitive personal InfoirnaticHi for more than 9,000 consumers, including 
names, Social Security numbers, dates of birth, health Insurance provider information, and standardized medical 
treatment codes. Misuse of such information can lead to Identity theft and medicai identity theft, and can also 
harm consumers by revealing private medical information, 

P2P software is commonly used to share music, videos, and other materials with other users of compatible 
software. The software allows users to choose files to make available to others, but also creates a significant 
security risk that files with sensitive data will l)e inadvertently shared. Once a file has been made avjiilable on a 
P2P network and downloaded by another user, it cm be shared by that user across the network even if the 
original source of the file is no longer connected, 

■‘Tlve unauthorized exposure of consumers’ pereona! data puts them at risk," said Jessica Rich, Director of the 
FTC’s Bureau of Consumer Pratection. ■'Tlie FTC is committed to ensuring that finns wlio collect (hat data use 
reasonable and appropriate security measures to prevent it from falling into tiie hands of identity thieves and other 
unauthorized users." 

The complaint aiso alleges that in 2012 the Sacramento, California Police Department found LabMD documents 
in the possession of identity thieves. These documents contained personal information, including names, Social 
Security numbers, and in sonic instances, bank account information, of at least 500 consumers. The complaint 
alleges that a number of these Social Security numbers are being or have been used by more than one person 
wilh different names, which may be an indicator of identity theft. 

The complaint Includes a proposed order against LabMD that would prevent future violafions of law by requiring 
the company to Iniploment a comprehensive infomTation security program, and have that program evaluated every 
two years by an independent, certified security professional for the tiext 20 years, The order would also require 
the company to provide notice to consumers whose infomiation LabMO has reason to believe was or could have 
been accessible to unauthorized persons and to consumers' health insurance companies. 

The Commission vole to issue (he administralive complaint and notice order was 4*0. 

Because LabMO has. in the course of the Cnmmission's investigation, broadly asserted that documents provided 
to the Commission contain confidential business informatton. (he Conimissiofi is not publicly releasing ils 
complaint until tfi© process for resolving any claims of confidentiality is completed and items in the complaint 
deemed confidential, if any, are redacted, 

NOTE; The Commission issues an administrative complaint when It has "reason to believe" that the taw has 
been or is being violated, and it appears to the Commission that a proceeding is in the public interest. Tlie 
issuance of the administrative complaint marks the beginning of a proceeding in which the allegations will be fried 
in a fomial hearing before an adminislraliv© law judge. 

Ttie Federal Trade Commission works for consumers to prevent fraudufent, deceptive, and unfair business 
practices and to provide information to help spot, slop, and avoid them. To file a complaint in English or Spanish, 
visit the FTC's online Complaint Assistant or cal! 1-877-FTC-HELP (1-877-382-4357). Ttie FTC enters complaints 
into Consumer Sentinel, a secure, online database available to more than 2.000 civil and criminal law 
enforcemont agencies in the U.S. and abroad. TTie FTC's website provides free information on a variety of 
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coiisuinnr topics. Like the FTC on Facebook, follow us on Tv/itter, and subscribe lo press releases for the latest 
FTC news and resources. 

CONTACT INFORMATION 

MEDIA CONTACT; 

Jay Mayfield 

Office of Public Affairs 

202 - 326-2181 

STAFF CONTACT; 

Robert Schoshinski 

Bureau of Consumer Protection 

202 - 326-3219 



Related Cases 

LabMD, Inc,, In the Matter of 


For Consumers 

How To Keep Your Personal Infonnation Secure 
Idonlity Theft 


Media Resources 

Our M(Jdia Resources library provides one-stop collections of materials on numerous issues in which the FTC 
has been actively engaged. Ttese pages are especially useful for members of the media. 


hllp/Mswr,Hc,<jo\^rK?vV!i-o%onls/press-roteas8S/20)3'Wf(c-filos-c«Tip!airtl'flgainsW£*wcl-faj|ing-prnloct.consiiimr3 
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targeting Section 5 enforcement efforts at most 
plainly anticompetitive conduct— that without 
redeeming efficiency justifications 
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Chairman ISSA. Mr. Roesler. 

I’m sorry, you’re finished, right? 

Mr. Daugherty. Oh, yeah. 

Chairman IsSA. Thank you. 

Mr. Roesler. 

STATEMENT OF DAVID ROESLER 

Mr. Roesler. Good morning, committee members. My name is 
David Roesler. I am and have been the executive director of Open 
Door Clinic in Elgin, Illinois, the far western suburbs of Chicago, 
for the past 15 years. I am appearing today in response to an invi- 
tation to testify on behalf of Open Door regarding its involvement 
with the FTC and a company called Tiversa. 

Between September of 2008 and March of 2013, Open Door was 
involved in a class-action lawsuit due to a file that was found on 
the Internet that contained names, some with Social Security num- 
bers, some with addresses, some with birth dates. 

Open Door is a small, not-for-profit AIDS organization. Currently 
we have about 30 employees. We had about 15 during this time. 
We provide medical care, support services for our clients. 

In July of 2008, a company called Tiversa contacted Open Door 
and said that they had had access to a confidential document ob- 
tained from a P2P network on the Internet. Communications with 
Tiversa included a contract for services. The suggested fees for the 
contract were $475 an hour. We contacted our IT service provider, 
who researched our network; found no evidence of any P2P net- 
works at that time. 

In September of 2009, Tiversa contacted Open Door again to re- 
port that documents were still available on the P2P software. Open 
Door’s IT provider once again reviewed its network to confirm that 
there was no evidence of any P2P software at that time. 

Two months after that, in November of 2009, clients began call- 
ing their case managers at the clinic, reporting that they were re- 
ceiving phone calls from a law firm asking them to join a class-ac- 
tion lawsuit because their information had been released by Open 
Door. At Open Door’s November board meeting, shortly after the 
clients started calling, one of the board members is a client. He 
brought in a letter that he got in the mail, also from this out-of- 
State law firm, telling them that they had their information out on 
the Internet, and would they join a class-action lawsuit. 

Then in January of 2010, we received a letter from the FTC. The 
letter indicated that they had found a file on a peer-to-peer net- 
work, and it had a different title than the document that had been 
reported found by Tiversa. 

Also in January that same month, in 2010, Open Door was suc- 
cessful at getting a law firm to provide us some pro bono work to 
help us understand what our compliance and responsibilities were. 
Open Door and its IT provider once again reviewed our network, 
all of our workstations to confirm that there was no P2P software 
at that time. 

In February, a month later, February of 2010, a class-action law- 
suit was filed in Kane County against Open Door. Sensational 
newspaper headlines; numerous media outlets began showing up at 
our door. And 3 years later Open Door’s settlement agreement was 
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approved by the court, dismissing the class action. Open Door and 
its insurers agreed to these motions. 

Open Door denied, and continues to deny, any legal responsibility 
for the disclosure. Had the case been tried, we would have expected 
to prevail, but because of the uncertainties, the expense of litiga- 
tion, Open Door and its insurers agreed to terminate this litigation 
under these terms. 

Thank you for letting me tell my story. 

Chairman ISSA. Thank you. 

[Prepared statement of Mr. Roesler follows:] 
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Testimony for the House Committee on Oversight and Government Reform 

Good Morning Committee Members, 

My name Is David Roesler and 1 have been the Executive Director of Open Door Clinic of Greater Elgin for 
the past 15 years. 

I am appearing today in response to an invitation to testify on behalf of Open Door regarding its 
involvement with the FTC and a company called Tiversa. 

Between September 2008 and March 2013, Open Door was involved in a class action lawsuit due to a 
file that was found on the internet that contained names, some with social security numbers and some 
with addresses and birthdates. 

Open Door is a small not-for-profit AIDS Service Organization, approximately 30 employees, providing 
medical and support care for people living with HIV/AIDS in the far western suburbs of Chicago Illinois. 

In July 2008 a company called Tiversa contacted Open Door and said that they had access to a 
confidential document obtained from a P2P network on the Internet. 

Communications with Tiversa included a contract for services. The suggested fees for the contract were 
for S475/hr. 

We contacted our IT Service Provider who researched our network and found no evidence of any P2P 
networks at that time. 

In September 2009, Tiversa contacted Open Door again to report that documents were still available on 
P2P software. 

Open Door's IT Service Provider, once again, reviewed its network to confirm that there was no evidence 
of P2P software. 

Nov 2009 clients began calling their case workers reporting that they were receiving phone calls from 
lawyers asking them to join a class action lawsuit due to their information released by open door. 

At Open Door's November Board Meeting, one board member, also a client, brought in a letter from an 
out of state law firm asking them to join a class action lawsuit. 

January 2010, we received a letter from the FTC. The letter indicated that they had found a file on a P2P 
Network with a different title than that revealed by Tiversa. 
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Also in January 2010, Open Door was successful in getting an engagement tetter with a law firm to 
provide pro bono services and began to review our responsibilities of compliance. 

Open Door and its IT provider once again reviewed our network and each workstation to confirm that 
there was no P2P software at that time. 

February 2010, a class action lawsuit was filed in Kane County Illinois againstOpen Door, 

Sensational newspaper headlines and numerous media outlets began calling and showing up at the 
clinic. 

March 7, 2013 Open Door's Settlement agreement was approved by court order, dismissing the class 
action. 

Open Door and its insurers agreed to these motions. Open Door denied and continues to deny any legal 
responsibility for the disclosure, had the case been tried we would've expected to prevail but because of 
the uncertainties and expense of litigation Open Door and its insurers agreed to terminate this litigation 
under these terms. 
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Chairman ISSA. Mr. Stegmaier. 

STATEMENT OF GERARD M. STEGMAIER 

Mr. Stegmaier. Mr. Chairman Issa, Ranking Member 
Cummings, members of the subcommittee, my name is Gerry 
Stegmaier, and I’m pleased to be here today to discuss the Federal 
Trade Commission’s data security enforcement activities under Sec- 
tion 5 of the FTC Act. The views I express are my own, not of our 
clients or of our firm. 

I’m a partner at Goodwin Procter LLP, and an adjunct professor 
at George Mason University School of Law, where I’ve taught pri- 
vacy, consumer protection, and constitutional law courses for the 
last 13 years. I regularly appear before the Federal Trade Commis- 
sion, State attorneys general, and assist businesses with all aspects 
of their privacy and information governance concerns. I appreciate 
the opportunity to appear before you today. 

In 2013, there were 63,437 reported security incidents, and 1,367 
confirmed data breaches. That is not a number reporting the num- 
ber of accessible information, which is one of the things that Mike 
spoke about. According to Verizon’s 2014 data breach investigation 
report, 44 million data records across the globe have been exposed. 

Companies are aware of the need for data security, and have 
taken steps to be more secure. Data security is important to con- 
sumers, the economy, and business, but equally important is the 
basic constitutional principle that people have a right to know what 
the law expects of them before we prosecute them. 

I think a simple analogy helps illustrate this in practice. When 
we want people to regulate how fast they drive their cars, we post 
speed limit signs. If you violate that posted limit, and the sign has 
been there for more than 60 days, you will likely receive a citation. 
The law calls this fair notice, and the Constitution protects us from 
government overreach with it. It is the shield that protects us from 
the deference that agencies receive. 

While this analogy may not be a good one, it’s important to note 
that it represents the feelings of many organizations that confront 
FTC enforcement actions relating to data security. 

The agency has offered no formal rulemakings or adjudications 
related to data security, and the FTC appears to regulate data se- 
curity primarily through complaints and consent orders, as we’ve 
heard. Neither the complaints nor the consent orders are binding, 
reliable precedent. They are nonprecedential. Some might call this 
stop-and-frisk black box justice. 

FTC complaints and consent orders are inconsistent and often 
lack critical information. For example, it is often unclear whether 
implementing some or all of the measures in a given order would 
result in fair data security, or even serve to avoid future enforce- 
ment actions had the underlying company admitted them in the 
first instance or practiced them. 

The FTC’s often repeated position is that security standards can’t 
be enforced in an industry-specific, case-by-case manner without 
more guidance provides little comfort to those appearing before the 
agency. Because the FTC decides on an individual and 
postinfraction basis whether a company is noncompliant, the risk 
of enforcement actions is unimaginable and unpredictable, as we 
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have heard. The penalties that may result from noncompliance are 
potentially ruinous. Combined with ambiguity of the law, unneces- 
sary compliance risks for regulated entities has created a situation 
ripe for overreach, unfairness, and an uneven application of the 
law. 

The FTC’s existing enforcement and guidance practices also pose 
serious due process concerns relating to fair notice of the law’s re- 
quirements. Current enforcement environment consists of aggres- 
sive enforcement against the victims of third-party criminal hack- 
ing who operate in a realm without clear and unmistakable data 
security law. Improved authoritative — and I emphasize authori- 
tative — interpretations of Section 5 by the agency and the courts 
are crucial to improve compliance and provide entities with suffi- 
cient information to understand how to respond. 

Let me be clear. The FTC has the means to more clearly define 
the law and provide useful, reliable guidance. The existing tools are 
there. Sadly, there’s plenty of room for improvement with the use 
of these existing tools, and improvements are essential to clarify 
the underlying uncertainty, which we have heard about, and, more 
importantly, to address the constitutional issue of fair notice and 
due process. 

The current reasonableness test, absent additional flexible, prin- 
ciples-based authoritative guidelines or court-resolved litigation, 
will do little or nothing to clarify the data security obligations of 
companies. Using the standards reasonable and appropriate with- 
out articulating such factors as the nature of business, the kind of 
information collected, or any other factors that may come into play 
may not ensure that fair notice occurs. 

In essence, we tell our clients do what you say and say what you 
do. We need to hear from the agency what they’re doing and what 
they’re saying so that the people who are subject to prosecution can 
understand how to respond and how to behave in the first instance. 

The FTC itself has not consistently defined what sensitive infor- 
mation is, and without clarification, the agency’s enforcement will 
continue to be perceived as arbitrary, and we will lack an under- 
standing of reasonableness. 

I thank you for your time and attention. I’m pleased to answer 
any questions you might have. 

Chairman ISSA. Thank you. 

[Prepared statement of Mr. Stegmaier follows:] 
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Mr, Chairman Issa, Ranking Member Cummings, and Members of the Subcommittee, my 
name is Gerry Stegmaier, and 1 am a partner at Goodwin Procter LLP and an adjunct professor at 
George Mason University School of Law, where 1 created one of the first information privacy 
law courses and have taught courses relating to privacy, consumer protection, and constitutional 
law for the last 13 years. I regularly appear before the Federal Trade Commission and state 
attorneys general, and 1 assist businesses with all aspects of their privacy and information 
governance concerns. I appreciate the opportunity to appear before you today to talk about the 
Federal Trade Commission’s data security enforcement efforts under Section 5 of the Federal 
Trade Commission Act.' 

INTRODUCTION 

In 2013, there were 63,437 reported security incidents and 1,367 confirmed data breaches 
affecting more than 44 million data records across the globe according to Verizon’s 2014 Data 
Breach Investigation Report.^ Most data breaches involve malicious criminal activity stemming 
from outsiders. 

While entities have business incentives to protect the information they collect, there is no 
single broad federal law requiring data security. Instead, the law has focused on criminalizing 
unauthorized access. This is not surprising since the law generally favors open and broad 
accessibility of information. Congress has limited its data-security legislation to certain 
industries, such as finance and healthcare, where public debate led to a consensus that increased 
information protection legislation was required. Generally, in the United States, data stewardship 


' The views contained in this testimony solely represent the views of myself in my individual and private capacity and are not 
necessarily the views of my firm, our clients, or any particular institution with w'hoin I may be affiliated. 

^2014 Data Breach Investigations Report, VERIZON, ll, http://www.verizonenierpnse.com/DBIR/20 1 4/ (last visited July 21, 
2014). 
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is encouraged primarily by state-enacted breach notification requirements.^ 

Over the last decade, the FTC has begun requiring reasonable data security for entities 
not covered by existing, industry-specific federal regulations. The FTC routinely investigates 
publicly reported data-related incidents and has brought more than 40 data-security cases since 
2000.'* The FTC has become increasingly aggressive, as demonstrated by an FTC consent order 
with HTC America after the company’s mobile security vulnerabilities allegedly potentially 
exposed sensitive information, even though no actual data compromise was alleged. 

The FTC bases its authority over data security on § 5 of the Federal Trade Commission 
Act, which prohibits “unfair or deceptive acts or practices in or affecting commerce,”^ Usually, 
the FTC makes a deceptive practices claim when an entity experiences a data breach after 
publishing statements that it secures data.^ Less frequently, the FTC alleges unfair practices in 
data-security cases.’’ However, § 5 does not mention data security, which begs a practical 
question: Because the Constitution requires that entities receive fair notice to reasonably 
understand what behavior complies with the law, does the investigation and prosecution of 
entities under § 5 in data-security cases violate entities’ constitutional rights to fair notice? And. 
if so, how might these due process concerns be better addressed? 

While the Fair Notice Doctrine began in the context of criminal defense, in 1968 the U. 
Court of Appeals for the District of Columbia Circuit acknowledged the doctrine’s applicability 


^ Notably, some states, such as California, have data-security tequirements. £.g., CAL. CIV. CODE § ! 798.8 1 .5(b) (West 2006) 
(■‘A business that owns or licenses personal information about a California resident shall implement and maintain reasonable 
security procedures and practices appropriate to the nature of the information, to protect the personal information from 
unauthorized access, destruction, use, modification, or disclosure”). 

^ See Plaintiffs Response in Opposition to Wyndham Hotels and Resorts' Motion to Dismiss at 13, FTC v. Wyndham Worldwide 
Corp., No. 2:13-CV-01887-ES-SCM (D, N..I. .June 17, 2013) [hereinafter Wyndham FTC Response], 

MSU.S.C. §45 <a)(l)(2006). 

Plaintiff.? Response in Opposition to Wyndham Hotels and Knotts' Motion to Dismiss at 7, FTC v. Wvndham Worldwide 
Corp., No. CV 12-1365-PHX-PGR (D. Ariz. Aug. 9, 2012). 

’ Id. (stating that seventeen of the thirty-six cases brought under the FTC Act alleged unfair practices). 
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in the civil administrative context.* The court observed, “Where the regulation is not sufficiently 
clear to warn a party about what is expected of it — an agency may not deprive a party of property 
by imposing civil or criminal liability.”’ 

The fair notice doctrine is not a trivial, academic legal theory with little bearing on the 
practice of law. On the contrary, given the FTC’s broad discretion under § 5 of the FTC Act, the 
FTC’s aggressive enforcement stance in the data-security context, and the agency’s reluctance to 
use its existing rulemaking authority to clarify its data-security expectations, the doctrine is 
directly relevant to the current regulatory climate."' Although the FTC has undertaken significant 
efforts to develop and improve notice of its interpretation of § 5, the nature, format, and content 
of the agency’s data security-related pronouncements raise equitable considerations that create 
serious due process concerns." 

FAIR NOTICE DOCTRINE 

WHAT IS THE FAIR NOTICE DOCTRINE? 

The fair notice doctrine requires that entities be able to reasonably understand whether 
their behavior complies with the law. If an entity acting in good faith cannot identify with 
“ascertainable certainty” the standards to which an agency expects it to conform, the agency has 
not provided fair notice.'^ An agency using enforcement conduct, rather than less adversarial 
methods, to define the contours of its broad discretion likely raises greater due process 


* Radio Athens. Inc. v, FCC, 40) I-.2d 398, 404 (D.C. Cir, 1968). 

’ Gen. Elec. Co. v. ERA, 53 F.3d 1324, 1328-29 (D.C. Cir. 1995). 

Fair notice is particularly important when courts defer to an agency’s interpretation of the scope of its jurisdictional authority. 
When agencies may define the breadth of their authority undw broadly-worded statutes, fair notice may be one of few constraints 
on arbitraiy and capricious agency action. For example, in City of Arlington v. FCC, the Supreme Court reviewed the FCC’s 
assertion of jurisdiction under the Communications Act over applications for wireless facilities. The Supreme Court concluded 
tliat a court should defer to any agency’s interpretations of the statute that it enforces, even those regarding tlie extent of the 
agency’s authority. City of Arlington, Texas v. FCC, 596 U.S. , 133 S. Ct. 1863 (2013). 

‘ ‘ In its response to Wyndham’s motion to dismiss, the FTC stated, '“unreasonable data security practices are unfair.” See 
Plaintiffs Response in Opposition to Wyndham Hotels and Resorts’ Motion to Dismiss at 7, FTC v. Wyndham Worldwide Corp . , 
No. 2:I3-CV-01887-ES-SCM (D. N.) June 17, 2013). The FTC argues that Wyndham has notice from government and industry 
sources about what security practices are reasonable. 

Gen. Elec., 53 F.3d at 1329 {citing Diamond Roofing Co. v. OSHRC, 528 F.2d 645, 649 (5th Cir. 1976)). 
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concerns.” Due process protections, like those provided by the fair notice doctrine, increase in 

importance in these circumstances. A defendant may raise the fair notice defense to defend itself 

against agency enforcement when it feels it has not received proper notice.” 

DISTINCTION BETWEEN CJTEEKOiV DEFERENCE AND THE FAIR NOTICE 
DOCTRINE 

The fair notice doctrine can serve as an effective defense even when a statute passes 
Chevron deference. Chevron deference is a powerful legal doctrine based on the assumption that 
federal agencies are experts on the statutes they enforce,” Under Chevron, courts defer to 
agencies’ reasonable interpretations of the statutes they enforce when such statutes are 
ambiguous.” However, if an agency interpretation is unpublished or unclear, entities can argue 
that an agency should not hold them accountable for noncompliance under the fair notice 
doctrine and if such an argument prevails, the court will dismiss the claims stemming from that 
interpretation, or lack thereof. 

THE FAIR NOTICE TEST AS APPLIED BY THE D.C. CIRCUIT 

The fair notice doctrine is a creature of judicial creation not yet reviewed or bounded by 


Seee.g., Martin v. OSmC, 499 U.S. 144, 158 (1991) (eking NLRB v. Bel! Aerospace Co., 416 U.S, 267. 295 (1974)) ffTlhe 
decision [by an agency] to use a citation as the initial means for announcing a particular interpretation may bear on the adequacy 
of notice to regulated parties,”). 

See Kenneth K. Kilbert & Christian J. Helbling, Interpreting Regulations in Environmental Enforcement Cases: Where Agency 
Deference and Fair Notice Collide, 17 VA. ENVTL. L.J. 449, 454 (1998) (“The feir notice principle mandates that persons may 
not be punished for failing to comply with a law of which they could not have known.”); Albert C. l-in, Refining Fair Notice 
Doctrine: What Notice Is Required of Civil Regulations?, 55 BAYLOR L. REV. 991, 998 (2003) (“(D]ue process requires . . . 
that parties subject to administrative sanctions are entitled to fair notice because civil penalties result in a deprivation of 
property . , . John F. Manning, Constitutional Structure and Judicial Deference to Agency Interpretations of Agency Rules, 96 
COLUM. L. REV. 612, 669-70 (1996) (“[I]t is arbiU-ary and capricious for the government to deny benefits based on 
noncompiiance with standards tJiat a putative beneficiary could not reasonably have anticipated,”); Jeremy Waldron, Vagueness 
in Imw and Language: Some Philosophical Issues, 82 CALIF. L. REV. 509, 538 ( 1 994) (describing the unfairness of impo.sing 
vague legal requirements); Jason Nichols, Note, "Sorry! What the Regulation Really Means Is..?': Administrative Agencies ' 
Ability to Alter an Existing Regulatory Landscape Through Reinterpretation of Rules, 80 TEX. L. REV. 953, 964 (2002) 

(“Armed with knowledge of the bounds of acceptable action, people will be better able to plan their actions and will know when 
the government unjustly trounces upon their liberties.”). 

Gen. Elec., 53 F.3d at 1327 (citing Chevron. U.S.A., Inc. v. Natural Res. Def. Council, 467 U.S. 837, 864-66 (1984)). For more 
information on Chevron deference, see Kristine Cordier Kamezis, Annotation, Construction and Application of "Chevron 
Deference ’ to Administrative Action by United States Supreme Court, 3 A.L.R. Fed. 2d 25, 39 (2005); 2 AM. JUR. 2d 
Administrative Law § 77 (2002). 

Chevron U.S.A.. Inc. v. Natural Res. Def Council, 467 U.S. 837, 864-66 (1984); Gen. Elec., 53 F.3d at 1327. 
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the Supreme Court. The D.C. Circuit, the federal appeals court most frequently confronted with 
important questions of administrative law, has the most developed fair notice jurisprudence. 
“Ascertainable Certainty”: The D.C. Circuit’s Test 

In a nutshell, fair notice requires that a party be able to determine an agency’s 
expectations with “ascertainable certainty” in order to satisfy due process requirements. Fair 
notice exists when “a regulated party acting in good faith would be able to identify, with 
‘ascertainable certainty,’ the standards with which the agency expects parties to conform.”' '' 
“The regulations and other public statements issued by the agency”'* should provide this 
ascertainable certainty. 

What is “Ascertainable Certainty”? 

The words “ascertainable certainty” are not particularly clear; four factors have been 
identified to apply the standard by the D.C. Circuit; 

I. Does the Plain Text of the Law Provide Notice, and Is the Regulated Entity ’s 
Interpretation Plausible? 

The D.C. Circuit has held that the most important factor for a successful fair notice 
defense is whether a careful reading of the law’s plain language provides the necessary notice of 
the law’s meaning.’’ “[Wjhere the regulation is not sufficiently clear to warn a party about what 
is expected of it”'^’ the fair notice doctrine protects a party from government sanction. The 
language of the regulation provides proper notice only if it is “reasonably comprehensible to 
people of good faith.”^' Where the law is silent or ambiguous and multiple interpretations exist. 


Gen. £/ec., 53 F.3d at 1 329 {citing jO/ctmortt/ ttoty/ng, 528 F.2d at 649). 

” Id. (citing Diamond Roofing, 528 F.2d at 649). 

See McElrov Ekes. Corp. v. £CC, 990 F.2d 1351, 1353, 1362 (D.C, Cir. 1993). 
“ Gen. Elec. Co. v. EPA, 53 F,3d 1324, 1328 (D.C. Cir, 1995), 

Id. at 1330-3! {qmimg McElroy Ekes. ,9% F.2d at 1358). 
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the D.C, Circuit has applied the fair notice doctrine to protect parties from government sanctions. 

2. Do “Authoritative” Pre-Enforcement Efforts by the Agency, Such as Public 

Statements, Provide Adequate Notice? 

Courts will determine whether the conduct of the agency ensures adequate notice by 
reviewing the agency’s public statements and actions, such as notices published in the Federal 
Register,^^ adjudicatory opinions,’^ previous citations,^** and policy statements. To ray 
knowledge, the D.C. Circuit has not analyzed whether a single-party consent decree or settlement 
with an agency constitutes a reviewable and authoritative interpretive document as part of the 
“ascertainable certainty” test. 

Moreover, to meet fair notice requirements, agency guidance must be “authoritative” and 
originate from the agency as a whole.^^ Statements from some other source, like the opinion of 
agency staff or even a single commissioner who may not be speaking for the entire agency, are 
insufficient.^^ A court would need to determine whether an agency’s public statements, such as 
published complaints, consent orders, and guidance came from the agency as a whole. If they did 
not, a court should not consider them as a source of notice. Regulated entities should be able to 
clearly determine which statements identify the law’s requirements, and which do not. By 
limiting the authoritative source to agencies as a whole, courts relieve regulated entities from 


See Darrell Andrews Trucking, Inc. v. FMCSA, 296 F.3d 1120, 1 130-32 (D.C. Cir. 2002) (concluding that the formal 
regulatory guidance and notice of proposed rulemaking published in the Federal Register were self-contradictory); Chrysler 
Carp., 158 F.3d at 1356 (reviewing the Federal Register notice discussing the rule and concluding that the notice was silent on 
the matter), 

Darrell Andrews Trucking, 296 F.3d at 1 1 30-32 (concluding that the agency’s adjudicatory opinion in a prior case gave a 
“crystal clear” interpretation of the regulation). 

Id. (finding fiiat notice was provided when the agency had previously cited the defendant for regulation violations). 

Gates & Fox Co. v, OSHRC, 790 F.2d 154, 157 (D.C. Cir. 1986)(Scalia, J.) (holding that notice of a violation given by a non- 
agency safety inspector did not provide sufficient notice, Iwcause it was “not an authoritative interpretation of the regulation”); 
see also United States v, Hoechst Celanese Corp., 128 F.3d 2 16, 230 (4th Cir. 1997). 

Gates ^ Fox Co., 790 F.2d at 157 (D.C. Cir. 1986) (Scalia, J.) (holding that notice of a violation given by a non-agency safety 
inspector did not provide sufficient notice, because it was “not an authoritative interpretation of the regulation”); see also United 
States V. Hoechst Celanese Corp., 128 F.3d 216, 228, 230 (4th Cir. 1997) (holding fair notice only occurs if the agency’s 
authoritative interpretation is provided to the entity), cert, denied, 524 U.S. 952 (1998). 
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having to parse the statements of agency staffer individual commissioners to determine what the 
law is?’ 

3. Did the Agency Inconsistently Interpret the Law or Inconsistently Apply Its 
Interpretation? 

A fair notice inquiry will look for an agency’s conflicting interpretations of the law, i.e., 
published inconsistent documentation,’* provided inconsistent advice to entities,’’ or otherwise 
acted inconsistently?® When an agency provided no notice at all, courts would likely exclude this 
factor. 


4. Imposition of a Serious Penalty 

Finally, the regulation must be sufficiently clear to warn a party of what is expected of it, 
otherwise, an “agency may not deprive a party of property by imposing civil or criminal 
liability.”®' The D.C. Circuit seems to view this requirement broadly. According to the court, due 


In the litigation context, the FTC also has not clearly stated what features of its consent orders are legal requirements. The FTC 
states that certain data security activities must be evaluated, but it does not state that the activities must be implemented. 
Wynciham FTC Response, supra n. 4, ai 19 ^'Although every situation is different, the consent orders in these matters provide 
industry, including Wyndham, with notice of different features of data security that must be evaluated in order to maintain a 
reasonable data security program.”). 

See Darrell Andrews Trucking, Inc., 296 F.3d at 1 130 (stating tltat the “self-contradictory ‘clarifying’ utterances” in an 
agency’s formal guidance “could have left [an entity) confused about what was required of it”); Chrysler Carp., 158 F,3d at 1356 
(concluding a prior schematic illustrating testing procedures conflicted with the EPA’s current interpretation ofthe testing 
standard and slating, “[A]n agency is hard pressed to show fair notice when the agency itself has taken action in the past that 
conflicts with its current interpretation of a regulation.”); Satellite Broad. Co. v. FCC 824 F,2d 1, 2 (D.C, Cir. 1987) (finding 
other sections of the agency’s rules “baffling and inconsistent”). 

Gen. Elec. Co. v, EPA, 53 F,3d 1324, 1332 (D.C. Cir. 1 995) (finding that different divi.sionsof the agency disagreed about the 
meaning ofthe applicable regulations); RoJUn Envtl. Servs. Inc. v. EPA, 937 F.2d649, 653-54 (D.C. Cir. 1991) (finding that 
agency officials in different regions interpreted the regulation differently and gave conflicting advice to regulated entities); Gates 
<6 Fox, 790 F.2d at 1 55 (noting evidence showing that the agency’s review board could not agree on the interpretation of the 
underlying regulation). 

McElroy Elecs.Corp. v. FCC, 990 F.2d 1351, 1362-63 (D.C. Cir. 1993) (finding that the FCC had “misinterpreted” its own 
order by telling the defendant it would accept the licensing applications if they were filed, accepting the applications initially, and 
subsequently rejecting the applications as improperly filed); Radio Athens, Inc. v. FCC, 401 F.2d 398, 403 (D.C. Cir. 1968) 
(noting that five FCC decisions showed that the agency used a diff^ent licensing rejection process prior to the process it used to 
reject the application in the case at hand), 

'^''Gen. £/cc.,53F.3dat see also Gates & Fox Co. v. 057//?C, 790 F.2d 154, 156 (D.C. Cir. 1986) (Scalia, J.) (“If a 

violation of a regulation subjects private parties to criminal or cK'il sanctions, a regulation cannot be construed to mean what an 
agency intended but did not adequately express[.]” (quoting Diamond Roofing Co. v. OSHRC, 528 F,2d 645, 649 (5th Cir. 

!976)). 
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process requires that parties receive fair notice before the government may deprive them of 
property, such as through the imposition of a fine,^^ the denial of a license application,” or by 
requiring an entity to take costly action, such as a product recall.” The D.C. Circuit’s 
“ascertainable certainty” test provides a useful tool to analyze current FTC activities in the area 
of information security and highlight challenges and complications to the agency’s exercise of its 
§ 5 authority, 

THE FTC ACT’S PROHIBITION OF “UNFAIR ACTS OR PRACTICES” 

In § 5 of the FTC Act, Congress gave broad powers to the FTC to protect consumers 
from deceptive and unfair trade practices. The FTC has begun using its “unfairness” authority to 
investigate and punish what it believes are companies’ faulty data-security practices. This 
authority needs to be balanced with the due process rights of entities by memorializing the fair 
notice doctrine in statute. 

THE FTC’S “UNFAIRNESS” AUTHORITY 

Section 5 of the FTC Act prohibits “unfair or deceptive acts or practices in or affecting 
commerce.”” An unfair act or practice is one that “causes or is likely to cause substantial injury 
to consumers which is not reasonably avoidable by consumers themselves and not outweighed 
by counterv'ailing benefits to consumers or to competition.”^^ To be a substantial injury, it must 
be significant in magnitude and actual (i.e., the harm has occurred or is imminently threatened).” 


Gen. Elec., 53 F.3d at 1328 (concluding that because the agency action resulted in a violation and imposed a fine, fair notice 
must be reviewed); Rollins, 937 F,2d at 653-54 (ruling that a $25.(KK) fine would be an “imposition of a serious penalty”). 
McElroy Elecs . , 990 F. 2d at 1 363 ; Satellite Broad , 824 F.2d at 2; Radio Athens, 40 1 F.2d at 403 . 

Chrysler Corp., 158 F.3d at 1355 (niling that a vehicle recall would have required expenditure of significant amounts of money 
depriving Chrysler of properly). 

”15U.S.C. §45 (a)(1) (2006). 

§45 (n). 

Letter from the FTC to Mon, Wendell H. Ford and Hon. John C. Danforth, Committee on Commerce, Science and 
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Consumer injury may involve either causing very severe harm to a small number of people or “a 
small harm to a large number of people,”^* The two forms of injury that typically qualify under 
the “unfairness” test are economic harm and harm to health or safety?^ 

The FTC’s Use of “Unfairness” Authority 

The FTC may use its unfairness authority when the alleged unfair practices and harm to 
consumers are clear. The FTC has used the law’s breadth to regulate a wide range of business 
practices, from the production of farm equipment^® to telephone bill processing,'" However, what 
constitutes “unfair” data-security practices is far from clear. The amount of data security 
necessary to make an entity’s practice “fair” under § 5 is unknown. Traditionally, the FTC has 
exercised its unfairness authority when there is obvious and substantial consumer harm, i.e. burn 
injuries and stolen money. In the vast majority of data-security cases, however, the harm may be 
more difficult to determine and may not be “substantial.” In fact, courts have wrestled with 
whether the loss of personal information constitutes a cognizable harm to consumers without 
evidence of actual damages.'’^ Actual damages resulting from a particular data-loss incident can 
be difficult to ascertain.''^ For example, even when a breach compromises credit card numbers. 


Transportation, (J.S. Senate, Commission Statement of Policy on the Scope of Consumer Unfairness Jurisdiction (Dec. 17, 1980), 
reprinted in in re Ini'! Harvester Co., 104 F.T.C. 949. 1070-76 (1984). 

’'frCv. Neovi, /nc.,604F.3d 1150, 1 157 (9th Cir. 2010). 

” IM 1 Hanaler, 104 F.T.C. at 1086. 

/rf, at 954, 

FTCv. Inc2l.com Corp., 475 F, App’x 106, 107-08 (9th Cir. 2012), 

In the class action context, plaintiffs have faced obstacles in meeting standing requirements when they argue that data breaches 
result in a cognizable harm, going so far as to claim that paying for identity theft protection services to preempt identity theft is 
an economic harm caused by the breach. Lower courts have gone both ways on the standing question. Compare Reilly v. 

Ceridian Corp., 664 F.3d 38, 42 (3d Cir. 20! i), Whitaker v. Health Net of California, Inc., No, CIV S-1 1-0910 KJMDAD, 2012 
WL 174961, at *2 (E.D. Cal. Jan, 20, 2012), and Low v, Linkedln Corp., No. 1 1-CV01468-LHK, 201 1 WL 5509848, at *4 (N.D. 
Cai. Nov, 11, 2011), with Kroitner v. Starbucks Corp., 628 F.3d 1139, i 143 (9Ui Cir. 2010), Lambert v. Hartman, 517 F.3d 433, 
437 (6th Cir. 2008), and Pisciotia v. Old Nat i Bancorp, 499 F.3d629, 634 (7th Cir. 2007). However, the Supreme Court recently 
enunciated a strict test for standing when plaintiffs allege a risk of ftiture harm, stating that to confer standing, fiiture harm must 
be “certainly impending,” or at least pose a “substantial risk.” Clapper v. Amnesty Inti USA, 133 S, Ct. 1138, 1143, 1150 n.5 
(2013), Litigants likely will cite Clapper in motions to dismiss in class action litigation involving data breaches for the 
foreseeable ftiture. 

The uncertainty of consumer injury in the data-protection context, and the difficulties inherent in identifying it, are discussed in 
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no harm may result because credit card companies refund consumers for any fraudulent charges 
made to their account. Given the complexity of data security, the less-than-clear harm, and the 
fact that third-party criminal activity typically leads to the harm, fair notice is even more 
essential in the data-security context as compared to other types of alleged unfair practices. 

The FTC’s Section 5 Enforcement and Penalty Structure 

When the FTC identifies an “unfair” practice, it may enforce § 5 against the party using 
the practice through an administrative process and issue a cease-and-desist order, which 
commonly results in a consent order.'*'' Alternatively, the FTC can file a complaint in court, 
seeking injunctions and consumer redress against defendants through adjudication and fact 
finding for alleged violations of § S.”** 

In the areas of privacy and data security, the FTC has typically followed the 
administrative process and entered into consent orders with defendants. The full Commission 
must approve consent orders, and they are subject to notice and public comment before 
becoming effective.'"’ 

Any violation of a consent order can result in civil penalties of up to $16,000 per 
violation,'” and “[e]ach sepai'ate violation . . . [is] a separate offense . . . [and] each day of 
continuance of such failure or neglect shall be deemed a separate offense,”'** Under this violation 
calculus, violations and fines can accumulate quickly, and entities face potentially ruinous 
penalties hanging over their heads for 20 years after entering into a consent order. 


the briefs of amici curiae in the Wyndham Case. 

15 U.S.C. § 45(bHc), (g) (2006). 

"MSU.S.C. §53(a)-(b) (2006). 

16 C.F.R. § 2.34(2012). 

Section 5(1) of the FTC Act, 15 U.S.C. § 45(1) (2006), as modified by Federal Civil Penalties Inflation Adjuistment Act of 
1990, 28 U.S.C. §2461 (2006), and Section 1.98(c) ofthe FTC’s Rules of Practice, 16C.F.R, § 1.98 (c) (2012), authorizes a 
court to award monetary civil penalties of not more than $16,000 for each such violation of a consent order. 

'Ms U.S.C. §45(1). 
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For example, the FTC filed an action against Google for violating a consent order when 
Google allegedly used cookies for advertising purposes on Apple Safari users’ browsers despite 
the language in its privacy policy.'*^ The result was the FTC’s largest fine ever for an order 
violation: $22.5 million.^® In its complaint, the FTC alleged that each time Google made a 
misrepresentation to a user, Google violated the order.^' Therefore, the FTC appears to have 
calculated the number of violations based on the number of people who saw the alleged 
misrepresentations. Considering the number of Google users, the number of people who 
potentially saw these alleged misrepresentations could be in the millions, and a $16,000 fine for 
each of a million users would result in a very large civil penalty. Given the potential seriousness 
of these penalties, the significance of fair notice cannot be understated. 

THE FTC USES SECTION 5 OF THE FTC ACT TO INVESTIGATE AN ALLEGED 
LACK OF PROPER DATA-SECURITY SAFEGUARDS 

The FTC Act grants the FTC both specialized rulemaking and enforcement authority 
under § 5, although the agency’s rulemaking authority is limited. The FTC’s rulemaking 
authority, which is commonly referred to as Magnuson-Moss rulemaking,’^ includes additional 
requirements that are more cumbersome than the more traditional Administrative Proceedings 
Act (APA) process. For example, the FTC Act requires the FTC to “provide for an informal 
hearing” in which interested parties are entitled to present oral testimony and potentially cross- 


Order Approving Stipulated Order for Permanent Injunction and Civil Penalty Judgment at 1 -2, United States v. Google Inc . , 
No. CV 12-04177 SI (N.D. Cal. Nov. 16, 2012). 

“'/rf. at 2, 

Id at 7, 

“15 U.S.C. § 57a (a)(1)(B) ('‘fTjhe Commission may prescribe . . . rules which define with specificity acts or practices which 

are unfair or deceptive acts or practices in or affecting commerce "). 

See Lydia B. Fames & Carol J. Jennings, Through the Looking Glass: A Perspective on Regulatory Reform at the Federal 
Trade Commission, 49 ADMIN. L. REV, 989, 995 (1997). 
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examine witnesses/"^ Due to this potentially inefficient and time consuming process, the FTC has 
not used its rulemaking authority to issue rules related to data security.^^ 

As with formal rulemaking, the FTC has also declined to clarify ‘Tair” data security 
through formal adjudication. The FTC argues that its consent orders provide fair notice.^^ 
According to the FTC, it has brought more than 40 data-security enforcement actions since 
2000.^^ At least seventeen of those actions alleged unfair practices. Flowever, none of the cases 
resulted in formal adjudications by the FTC or the courts.^^ Instead, each resulted in a settlement 
agreement with the respective defendants. The FTC publishes information about its enforcement 
activity, including the details of the complaints and consent orders,^® in what some proponents of 
this approach increasingly refer to as an emerging “common law” of privacy.^^ 

The FTC’s settlement and consent decree-focused approach to date security consumer 
protection arguably creates some likelihood of potential actual notice of the agency’s 
interpretation of § 5. The FTC’s data-security-related complaints frequently use terms like 
“reasonable,” “appropriate,” “adequate,” or “proper” to describe the security safeguards that the 


15 U.S.C, § 57a{b), (c); see a/w Brief of Amici Curiae Chamber of Commerce of the United States of America, Retail 
Litigation Center, American Hotel & Lodging Association, and National Federal of Independent Business in Support of 
Defendants at 21, FTC v. Wyndham Worldwide Corp., No. 2:13-cv-01887-ES*SCM (D. N.J. May 3, 2013) [hereinafter Chamber 
of Commerce Brief] {noting that “[bjy Congressional Design, (the agency’s] rulemaking authority is more burdensome on the 
FTC than nilemaking authority nonnaliy provided to administrative agencies under the APA; among other restrictions, for 
example, the statute permits interested parlies to cross-examine witnesses"). 

Prepared Statement of the Federal Trade Commission on Data Security: Hearing Before the Subcomm. on Commerce, Mfg,, 
and Trade of the H. Comm, on Energy and Commerce, 1 12tlt Cong. 1 1 (2011) (statement of Edith Ramirez, Comm’r. Federal 
Trade Commission) (“[Ejffeclive consumer protection requires that the Commission be able to promulgate rules in a more timely 
and efficient manner.’’). 

Wyndham FTC Response, supra n. 4, at 1 9. 
at 13. 

See also Tech Freedom Brief at 4. 

In August 2013, the FTC filed a complaint against LabMD following an alleged data breach. The case was not resolved at the 
time of this writing. Press Release, Fed. Trade Comm’n, FTC Files Complaint Against LabMD for Failing to Protect Consumers’ 
Privacy (Aug. 29. 2013), available at http://www.ftc.gov/opa/20t3/08/labmd.shtm. 

Id. 

''' See, e.g., Julie Brill, Comm'r, Fed. Trade Comm’n, Keynote Address at the !2th Annual Loyola University Chicago School of 
Law Antitrust Colloquium; Privacy, Consumer Protection, and Competition 1 (Apr. 27, 201 2), available at 
hiip:./^www.ftc.gov/speeches/brill/}20427loyolasymposium.pdf; see generally Daniel J, Solove & Woodrow Hartzog, The FTC 
and the New Common Law of Privacy {Nwg. 15, 2013), available a: http://ssrn.com/abstract=^23l29l3 (last visited Aug. 30, 
2013) (contending that the “FTC’s privacy jurisprudence is the functional equivalent to a body of common law,’’ and examining 
it as such). 
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agency maintains are required under § 5.“ These complaints, which form the basis of the 
underlying consent orders, alleged that § 5 was violated due to some combination of failing to: 
have an information security policy; implement system monitoring; fix known vulnerabilities; 
maintain firewalls and updated antivirus software; use encryption; implement intrusion detection 
and prevention solutions; store information only as long as necessary; and prepare for known or 
reasonably foreseeable attacks.^^ However, because the FTC cryptically states that the failures 
“taken together” violate § 5 and each complaint lists different data-security practices, these 
complaints do not provide an effective “data-security blueprint,” The FTC’s standard mode of 
operation is to issue non-authoritative suggested guidelines and deal with unfairness actions 
through settlement. Neither of these practices provide entities with reliable guidance useful in 
avoiding unfairness actions. Michael D. Scott, a "pioneer" in the field of high-technology law 
and public policy and graduate of MIT and UCLA School of Law, has criticized the FTC noting 
that “[t]he complaints and consent orders entered into in these cases provide limited guidance as 
to what a company should do (or not do) to avoid being the target of an unfairness action by the 
FTC if it experiences a security breach.”’’"' 

The FTC’s consent orders in data-security cases also require some specific data-security 
practices of those companies whose practices are now supervised directly by the agency,®* such 


In its response to Wyndham’s motion to dismiss, the FTC reiterated, "unreasonable data security practices are unfair,” See 
Plaintiffs Response in Opposition to Wyndham Hotels and Resorts’ Motion to Dismiss at 1 7, FTC v. Wyndham Worldwide 
Corp., No. 2:13-CV-01887-ES-SCM (D. N.J June 17, 2013). Some commentators may suggest that there is no security standard 
because good security varies based on too m^y factors. This article agrees with that conclusion, but the FTC does not, The FTC 
seems to be using a security standard when it chooses whether to file complaints against entities for tlieir ‘^inreasonable” security 
practices. The FTC has issued “guidance” that looks like a standard, but the agency has not communicated that it is the law. 
Communicating the legal standard to entities will help entities understand what “reasonable” security looks like before they 
receive the FTC complaint. 

Complaint at 2-5, In re ACRAnet, Inc., No. C-433 1 (Aug. 17, 201 1); Complaint at 2-3, In re Ceridian Corp, No. C-4325 (June 
8, 201 1 ); Complaint at 2-3, In re BJ’s Wholesale Club, Inc., No. C-4 148 (Sept. 20, 2005). 

Michael D. Scott, FTC. the Unfairness Doctrine, and Data Security Breach Litigation, 60 ADMIN. L. REV. 183 (2008). 

Consumer Online Privacy: Hearing Before theS. Comm, on Commerce, Sci., andTransp., 1 1 1th Cong, 9-11 nn.20-25 (2010) 
(testimony of Jon Leibowiiz, Chairman, Federal Trade Commission) (“The Commission’s robust enforcement actions have sent a 
strong signal to industry about the importance of data security, while providing guidance about how to accomplish this goal.”). 
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as a requirement that the company implement a “comprehensive information security 
program.”“The imposed program typically includes: (1) designating employees responsible for 
data security; (2) implementing reasonable safeguards to protect against identified security risks, 
including prevention, detection, and response to intrusions; (3) implementing privacy controls 
appropriate for the business, data use, and sensitivity of the information; (4) and performing 
regular testing, monitoring, and adjusting of privacy controls. These data-security practices also 
may give entities some notice of what the FfC believes § 5 requires but whether they are 
authoritative interpretive documents, given their negotiated, non-precedential nature, lack of 
judicial review, and agency statement of their non-binding nature, remains an open question, 

THE FTC’S PUBLIC STATEMENTS 

Even though the FTC has not exercised its specialized hybrid-rulemaking authority to 
issue any formal data-security rules or regulations, the FTC argues that it “has been 
investigating, testifying about, and providing public guidance on companies’ data-security 
obligations under the FTC Act for more than a decade”^’ and that companies have sufficient 
notice “from both government and industry sources,” suggesting that companies can follow the 
NIST, PCl-DSS, or ISO standards.** The FTC also argues that its business guidance provides fair 
notice.*^ 

In 201 1, the FTC issued Protecting Personal Information: A Guide for Business, which 
lists 36 detailed recommendations related to network security, password management, laptop 


“ E.g., Decision and Order at 6-7, In re UPromise, Inc., No. C-4351 (Mar. 27, 2012); Decision and Order at 3, In re Ceridian 
Corp.. No. C-4325 (June 8, 2011); Decision and Order at 3-4 , /b rc Twitter, Inc., No. C-4316 (Mar. 2, 2011) [hereinafter Twitter 
Decision & Order], available at hUp://www.ftc.gov/os/caselist/Q923093/l 10311twHterclo.pdf. 

See Plaintiffs Response in Opposition to Wyndham Hotels and Resorts’ Motion to Dismi.ss at 7, FTC v. Wyndham Worldwide 
Corp., No, CV 12-1365-PHX-PGR (D. Ariz, Aug, 9, 2012). 

’’’ Wyndham FTC Response, supra n. 4. at 17-18. 

“Mat 18-19, 
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security, firewall usage, wireless and remote access, and detection of data breaches.™ Many of 
the recommendations listed in this publication also appear in the FTC’s complaints. The 
document also explains that “[sjtatutes like ... the Federal Trade Commission Act may require 
you to provide reasonable security for sensitive information”’ ' although the statute neither refers 
to “security” nor defines “sensitive information.”™ 

The FTC has also been a leader amongst various agencies in using the Internet and social 
media to disseminate information about the law and best practices. For example, an FTC Web 
site posting by an FTC attorney states, “[T]he FTC has tried to develop a single basic standard 
for data security that strikes the balance between providing concrete guidance, and allowing 
flexibility for different businesses’ needs. The standard is straightforward: Companies must 
maintain reasonable procedures to protect sensitive information. Whether a company’s security 
practices are reasonable will depend on (1) the nature and size of the company; (2) the types of 
information the company has; (3) the security tools available to the company based on the 
company’s resources; and (4) the risks the company is likely to face.”’^ The crux of the 
constitutional question is when are these settlements, tweets, speeches and blog posts 
authoritative for interpretive purposes? And, assuming they can be, do they create “ascertainable 
certainty” the constitutional requires before penalizing a party? 


FED. TRADE COMM’N, PROTECTING PERSONAL INFORMATION: A GUIDE FOR BUSINESS, (November, 2011), 

available at hup://www.business.ftc.gov/sites/defauWfiles/pdf'bus69-protectmg-personal-mformation-guide-husmessJ).pdf. 

’'Mats. 

” In fact, the troubling constitutional implications of having the government regulate how and what people can say about 
someone to protect privacy continue to present recurring problems. See, e.g., Bartnicki v. Vopper, 532 U.S. 514, 534-35 (2001) 
(holding that the protections of the First Amendment lo disclose inforaiation about a public issue trumps the protections against 
illegally intercepted communications under the Electronic Communic^ons Privacy Act); see generally Eugene Volokh, 

Freedom of Speech and Informaiion Privacy: The Troubling Implications of a Ri^t to Stop People From Speaking About You, 

52 STAN, L. REV, 1049, 1050-51 (2000), It is unclear whether the FTC considered these and other potential complications while 
creating federal “privacy” rights through its actiwis. 

Burke Kappler, Protecting Personal Information - Know Why, BUREAU OF CONSUMER PROT. BUS. CTR. (Oct. 2007), 
available at http:// businessftc.gov/documents/art08-protecting-personal-mformalion-know-why. 
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APPLYING THE FAIR NOTICE DOCTRINE TO THE FTC’S INTERPRETATION OF 
SECTION 5 

The D.C. Circuit’s “ascertainable certainty” fair notice test is a helpful way to examine 
the FTC’s data security enforcement activities to see if what data protection may be required as 
a matter of law. In its fair notice analysis, the D.C. Circuit reviews w'hether: (1) the plain text of 
the law is silent or unclear, and the entity’s interpretation is plausible; (2) the agency has 
published clarification of its interpretation or performed other actions providing notice; (3) the 
agency has made conflicting interpretations; and (4) the entity faces a serious penalty. As 
described more folly below, in a nutshell, the statutory text is silent, the agency’s interpretations 
are often seemingly unknown or unknowable in the eyes of those prosecuted, the agency 
maintains it has clarified its interpretations and otherwise provided fair notice and, as a result of 
these interpretations serious penalties are faced by those prosecuted. 

SECTION 5 IS SILENT ON DATA SECURITY 

The text of § 5 prohibits “unfair or deceptive acts or practices in or affecting 
commerce.”^^ But the practical difficulties confronting the agency and those subject to its 
regulation are readily apparent when one refers to the enabling text of the statute itself The FTC 
Act prohibits “unfair or deceptive acts or practices,”’^ and leaves the agency with broad authority 
and discretion to regulate practices that “cause[ ] or [are] likely to cause substantial injury to 
consumers which is not reasonably avoidable by consumers themselves and not outweighed by 
countervailing benefits to consumers or to competition.”^^ Congress intentionally used broad 


" 15 U.S.C.§ 45 (a)(1) (2006). 
td § 45(n). 
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language so the FTC could address unanticipated practices in a changing economy.’^ The 
language of the statute itself is plain and does not reference any kind of data security or 
applicable standards for computer software and hardware systems. 

THE FTC PUBLICATIONS ARE ADVISORY AND UNCLEAR 

When the statutory language does not provide clarity on legally required data-security 
safeguards, agency statements or activities take on added significance. In particular, a reviewing 
court should not confine its inquiry to a search for some document listing information that it 
could label “actual notice,” because in most cases evidence will suggest that some notice existed. 
Rather, a reviewing court should focus on whether the provision of notice through methods, such 
as recommendations and consent orders, constitutes fair notice and satisfies due process. Under 
this analysis, the FTC’s recent and historic notice methods in this area remain problematic under 
the fair notice doctrine, because they do not clearly distinguish the law from best practices or 
explain why legal requirements may apply in some cases and not others.^® 

The D.C. Circuit conducts a broad inquiry for sources of notice. Previously, it has 
reviewed regulatory guidance and notices of proposed rulemaking published in the Federal 
Register,” adjudicatory opinions,®*’ and agency policy statements.®' These methods of 
information dissemination represent statements by the agency about how it intends to interpret 
the laws it is obliged to enforce. These publications are also sources that organizations may be 


” See FTC v, Accusearch, Inc., 570 F.Sd 1187, 1 194 (lOlh Cir. 2009) (“[Tlhe FTCA enables the FTC to take action against 
unfair practices that have not yet been contemplated by more specific laws.”). 

The FTC argues in Wyndham that industry' provides notice of reasonable security standards. Wyndham FTC Response, supra 
n, 4. at 17-1 8. The legal standard for fair notice reviews what the agency slates is the law, not what an industry body suggests are 
best practices. 

Darrell Andrews Trucking, Inc. v. FMCSA, 296 F.3d 1 120, 1 130-32 {D.C. Cir. 2002); United States v. Chrysler Corp. , 1 58 
F.3d 1350, 1356 (D.C, Cir. 1998). 

Darrell Andrews Trucking, 296 F.3d at 1130-32. 

" Gen. Elec. Co. v. EPA, 53 F.3d 1324, 1333 (D.C. Cir. 1995). 
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expected to review. Conversely, providing information through settlements with individual 
parties and recommendations posted on an agency website do not seem to rise to the same level 
of importance, and organizational awareness of these information sources is likely limited.*^ 

The FTC Has Not Published Notice in the Federal Register or a Policy Statement 

The FTC has not issued any guidance or notices in the Federal Register to explain what it 
views as adequate data security under § 5. In addition to not using the Federal Register or formal 
adjudication, the FTC has not published policy statements. As a practical matter, the agency has 
not yet taken the opportunity to use all of the tools it has to address a serious problem facing 
industry, who increasingly find themselves feeling twice-victimized. 

The FTC Has Used Only Informal Adjudicatory Processes 

Agency adjudications are formal actions by an agency, and entities regulated by that 
agency closely scrutinize them,*^ These adjudications may provide precedential value, and 
entities are aware that adjudications are policymaking tools for agencies. Therefore, agencies 
may expect entities to be aware of relevant agency adjudications. 

The FTC has not issued any adjudicatory opinions expressing its view on what data- 
security practices § 5 requires. Instead, as sources of notice, the agency points to the collection of 
published complaints and the attendant consent orders describing one entity’s particular data- 
security practices that the FTC has deemed inadequate.*** Courts might consider both sources as 


More practically, courts have not addressed the question of what types of agency activity should be deemed authoritative for 
purposes of fairness analysis in ways similar to the analysis of agency deference in Chevron or Mead. 

See Steven P. Croley, Theories of Regulation: Incorporating the Administrative Process, 98 COLUM. L. REV. 1, I !4 (1998) 
(noting that agency adjudications “sometimes have far-reaching, prospective effects on entire indu.stries,’' and “often apply 
prospectively to similarly situated parties not part of the immediate adjudication proces,s”). 

A collection of complaints and consent orders can be found on the ^C’s website. Legal Resources, BUREAU OF 
CONSUMER PROT,, htlp://lmsiness.ftc.gov/legal-resoitrces/29/35 (last visited Aug, 3, 2013), At least one commentator has 
observed that entities, and their attorneys, scrutinize the FTC’s complaints and consent orders as though they were formal 
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guidance from the agency as a whole under the “ascertainable certainty” test. 

Complaints and consent orders are not part of a formal adjudicatory process and do not 
contain reasoned analysis of the FTC’s interpretation of the law.*’ Rather, the complaints list 
what the FTC believes to be faulty data-security practices in one particular case. The 
circumstances of each case differ, and, unlike formal adjudications, the FTC has not articulated 
why data-security practices in one case may violate § 5 while those same practices may not 
violate § 5 in another context. Moreover, the consent orders are settlement agreements among the 
parties and have no legal bearing, precedential or otherwise, on third parties,** For these reasons, 
there is little reason for a court to accept such statements as “authoritative” for purposes of 
evaluating whether they provide constitutionally required fair notice. If regulated entities cannot 
know with certainty that the complaints and consent orders are the law as applied to them, then 
the complaints and consent orders may not be sufficiently authoritative to provide fair notice. 

An agency can expect an entity that it regulates to comply with policy made through 
formal adjudication. However, requiring entities to review allegations contained in unfiled 
complaints with attendant settlement orders begs the question as to whether such actions are 
suitably authoritative to address fundamental fairness concerns.*’ 

Fair Notice Analysis of the FTC’s Best Practices Guide 

Sadly, for whatever reason, the agency itself has done less than it could to help clarify 


adjudications. Solovc & Hartzog, supra n.61, at 25 (discussing that privacy attorneys view FTC settlements like cases 
inteipreting statutes), However, even after carefiil scrutiny, privacy attorneys cannot definitively advise their clients on what they 
must do versus what they should do. 

See TechFreedom Brief at 8 (“Settlements (and testimony summarizing them) do not in any way constrain the FTC’s 
subsequent enforcement decisions . . . [and] unlike published guidelines, they do not purport to lay out general enforcement 
principles and are not recognized as doing so by courts and the business community.”). 

United States v, 171' Coni 'I Baking Co., 420 U.S. 223, 238 (1975) (“[A] consent decree or order is to be construed for 

enforcement purposes basically as a contract ”); United States v. Armour & Co., 402 U.S. 673, 681-82 (1971) (“Consent 

decrees are entered into by parties to a case after careful negotiation has produced agreement on their precise terms.”). 

See Solove & Hartzog, supra n. 61, at 24-27 (arguing that the complaints and settlements are in many ways “the functional 
equivalent of common law”), 
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which of its statements should have the force of law or otherwise provide guidance on the 
underlying legal requirements for data security. For example, the FTC describes its data security 
guide, Protecting Personal Information: A Guide for Business, as: “Practical tips for business on 
creating and implementing a plan for safeguarding personal information.”** The guide suggests 
to “[u]se the checklists on the following pages to see how your company’s practices measure 
up — and where changes are necessary.”*’ The guide does not state that the items in the checklists 
are required by law or that an entity’s compliance with the checklists will ensure that its data 
security is not an unfair practice. The guide further provides little instruction on when a 
particular recommendation is a legal requirement or otherwise is or would be a best practice. 

Courts, including the D.C. Circuit, have not yet reviewed generally whether an agency’s 
best practices guide provides fair notice of unlawful conduct. If a reviewing court finds that a 
best practices guide is “authoritative,” the court likely would consider the FTC’s best practices 
guide in its analysis.’” However, there will be a question of the amount of weight a court will 
give such a guide since it is only a set of recommendations.’' 

Courts place agency action on a spectrum to determine how much deference to afford an 
agency interpretation of the laws that it enforces. On one end of the spectrum formal rulemaking 
and adjudication and some informal actions are afforded Chevron deference.’^ On the other end 
of the spectrum are interpretations made by agencies to which Congress has not given sufficient 
authority. Courts grant those interpretations no deference.’* To determine whether Chevron 
deference is appropriate for interpretations made outside the context of formal rulemaking or 

“ FED. TRADE COMM’N, supra n. 70. 

“ FED. TRADE COMM’N, supra n. 70. 

The D.C, Circuit reviews “pubtic statements issued by the agency.” Gen. Elec. Co. v. EPA, 53 F.3d 1324, 1329 (D.C. Cir. 
_i995). 

Distinguishing between what is required and what is advisory in these guides can be practically impossible without 
auihoritalive distinctions between the two, an issue frequently dismissed among practitioners and agency staff and management. 

Mead Co/77,, 533 U.S. at 229-30. 

See id. at 23 1 . 
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adjudications, courts consider whether; (1) Congress intended the agency to interpret the statute 
with the force of law; (2) the agency action binds only individual parties to a ruling or also 
applies to third parties; and (3) the interpretation is made by the agency as a whole or by agency 
staff on an ad hoc basis,’'' The Supreme Court in United States v. Mead noted explicitly that 
interpretations contained in policy statements, agency manuals, enforcement guidelines, and 
opinion letters do not deserve Chevron deference because they lack the force of law.’" 

The FTC Data-Security Best Practices Guide is simply a list of recommendations; it is 
not the result of formal rulemaking or adjudication and does not bind any parties. It is more 
similar to the policy statements, agency manuals, enforcement guidelines, and opinion letters that 
courts have held do not deserve Chevron deference. For an interpretation to provide fair notice, it 
must come from a position of authority.’* Similarly, staff attorney’s Internet postings discussing 
data security do not represent the entire agency and are not authoritative. Accordingly, a court 
would probably not appropriately consider the FTC staff attorneys’ Internet postings at all in its 
fair notice analysis. Doctrinally, Mead laid important groundwork regarding why much of what 
the FTC has been saying - especially given its chosen means - raises serious constitutional 
question of fair notice. 

Concerns Stemming from the Lack of Concrete and Authoritative Notice 

Consent orders,” the FTC’s interpretive guidance to entities, consist of little more than 
published reports and its reliance on consent orders. In particular, the agency has not used its 
formal rulemaking authority and has not had any formal adjudication through which to 


See id. at 231-34, 

Id. at 234; Christensen, 529 U.S. at 587, 

J'’ Set? Gates & Fox Co. v. OSHRC, 790 F.2d 154, 157 (D.C. Cir. 1986) (Scalia, J.). 

Thirty-six data-security cases were brought under the FTC Act. Plaintiff’s Response in Opposition to Wyndham Hotels and 
Resorts' Motion to Dismiss at 7, FTC v. Wyndham Worldwide Corp.,'Ho.Cy 12-1365-PHX-PGR (D. Ariz. Aug. 9, 2012). 
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communicate its interpretations. Thus, entities have very little guidance. They have: (1) lists of 
fairly detailed data-security practices published in single-party complaints; (2) consent orders 
with vague descriptions of comprehensive information security programs; and (3) published 
guidance in which the FTC encourages rather than requires entities to implement data-security 
safeguards. With such scant and non-authoritative guidance, the central due process question 
remains whether such information provides “fair” notice adequate to address constitutional 
concerns. To be sure, the FTC’s published complaints, consent orders, and the aforementioned 
data-security guide identify many of the same data-security requirements it alleges investigation 
targets do not adequately maintain. Nevertheless, some notice is not fair notice — which is a 
practical constitutional question befuddling many individuals and begging the question: Does 
reasonable information security require an FTC and administrative law specialist to figure out 
what the law requires? 

Due process requires examining the nature and quality of the notice to ensure entities 
have a clear description of required behavior from an authoritative source (i.e., fair notice) — 
which settlements with third parties and agency recommendations do not provide. Moreover, a 
post hoc review of whether sufficient authoritative notice existed at the time of the alleged 
violations is difficult considering an assessment of current requirements is impossible. 

Section 5 Violation May Result in Serious Penalty 

Under § 5, the FTC cannot directly impose or request a monetary penalty. Congress 
provided the FTC with the sole remedy to issue an order requiring an entity to cease and desist 
certain conduct, in part, to avoid potential due process concerns.’* If a party violates a cease-and- 


Michael J. Pelgro, Note. The Authority of the Fed^al Trade Commission to Order Corrective Advertising. 19 B.C. L. REV. 
899,907(1978). 
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desist order, a court can order a civil penalty, the rescission of contracts, restitution, refunds, and 
disgorgement,'**’ Alternatively, the FTC can request that a court issue an injunction prohibiting 
certain behavior.'*’'* Few would seem to argue that a violation of § 5 could not result in a 
substantial loss of property implicating the fair notice doctrine. 

Given the relative paucity of authoritative agency interpretation, whether existing FTC 
activities have provided “fair notice” remains an open question. Section 5 of the FTC Act gives 
the FTC broad authority to combat “unfair trade practices.” The statutory language does not 
provide notice of required data-security safeguards. The FTC has chosen not to issue regulations 
to explain what data-security practices are “unfair.” While the agency’s informal 
communications may provide some notice about the FTC’s position, whether courts should deem 
these communications as sufficiently authoritative to provide fair notice is questionable. Perhaps 
more importantly, many businesses struggle with understanding what’s required of them and are 
often stunned after a security incident to learn that the parly mostly likely to be prosecuted is in 
fact the organization that held the underlying information — not the perpetrators. 

CHALLENGES OF THE FTC’S APPROACH AND MOVING FORWARD 

Even if a court concluded that fair notice of required data security practices exists, there 
seems to be little doubt that underlying legal requirements and the process of determining what is 
“reasonable” data security could be communicated more effectively. Ironically, an agency that 


1 5 U.S.C. 45(1) (2006) (“Any person, partnership, or corporation who violates an order of the Commission alter it has 
become final, and while such order is in effect, shall forfeit and to the United States a civil penalty of not more than $10,000 
for each violation . . . id. § 57b(b) fThe court in an action under subsection (a) of this section [an action following a cease a 
desist order] shall have jurisdiction to grant such relief as the court finds necessary to redress injur>' to consumers or other 
persons, partnerships, and coiporations resulting from the rule violation or the unfair or deceptive act or practice, as the case may 
be. Such relief may include, but shall not be limited to, rescissitm or reformation of contracts, the refund of money or return of 
property, the payment of damages, and public notification respecting Uie rule violation or the unfair or deceptive act or practice, 
as the case may be; except that nothing in this subsection is intended to authorize the imposition of any exemplary or punitive 
damages.”). 

!d. § 53(b) (allowing the court to issue a temporary restraining tuxier, preliminary Injunction, or permanent injunction). 
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calls on companies to be more transparent about their business practices has not been transparent 
about its data-security policy, seemingly constrained by the practical difficulties of using 
investigations and enforcement actions to provide fair notice. 

The D.C. Circuit recommended agency rulemaking instead of a series of adjudicative 
proceedings to explain a regulation because “full and explicit notice is the heart of administrative 
fairness.”’”' The FTC seems to agree that traditional APA rulemaking may be superior to 
adjudicative proceedings, but it has not yet undertaken to use the modified APA rulemaking 
authority it already possesses. The FTC has supported federal legislation that would prescribe 
data-security requirements. The agency recommended that Congress phrase the legislation in 
general terms, using broad definitions, to allow the implementing agency to promulgate rules or 
regulations to “provide further guidance to Web sites by defining fair information practices with 
greater specificity.”'”^ The FTC stated that regulations could clarify the definition of “adequate 
security.”'”’ 

FORMAL RULEMAKING MAY PROVIDE FAIR NOTICE BENEFITS 
The FTC Has Issued Rules Pursuant to Other Dafa-Security Related Statutes 

While the FTC has not used its current limited rulemaking authority under § 5 to clarify 
“unfair” data-security practices due to onerous rule-making proceedings, Congress has directed 
the FTC to promulgate regulations under other laws, such as COPPA and FACTA.'”"* As 


Radio Athens, Inc. v. FCC, 401 F.2d 398, 404 {D.C. Cir. 1968) (“[T]he agency could and should have proceeded to 
accomplish its result by exercising its broad rulemaking powe«.”). 

FED. TRADE COMM’N, PRIVACY ONLINE: FAIR INFORMATION PRACTICES IN THE ELECTRONIC 
MARKETPLACE 37 (2000) [hereinafter FED. TRADE COMM’N, PRIVACY ONLINE]. 

Id. (internal quotation marks omitted). 

15 U.S.C. § 1681m(e) (FACTA); §6502(bXl)(COPPA). 
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expected, entities have fully participated in the process.'”^ In addition, the FTC altered its 
proposed rules based on the comments it received.’'”^ The process and resulting rulemaking have 
proven far more likely to yield “ascertainable certainty” of the agency’s interpretation. 

While the final rules the FTC implemented may result in inflexible requirements rather 
than adaptable principles, the quality of the rules promulgated by the FTC in these instances is 
beside the point for addressing fair notice concerns.'**’ All parties received an opportunity to 
participate in a public and deliberative process and potentially affect the outcome. The rule- 
making process also leads to rule refinement outside the enforcement context, which may allow 
the parties to more objectively view and craft the rules. As it currently stands, recent agency 
data-security investigations reflect private non-public, refinement of statutory interpretations 
lacking transparency and clarity. This process runs the practical risk of creating a costly and 
vexatious guessing game for businesses constrained by a lack of consensus and clarity. The FTC 
clearly does not intend this consequence. Those subject to FTC data security requirements lack 
the benefit of any authoritative policy statements on these issues. 

Fair Notice Benefits of Rulemaking 

There are specific fair notice advantages to rulemaking over the prosecution and 
settlement approach used by the agency.'*** Rulemaking can provide regulated entities with clear 


See Children's Online Privacy Protection Rule, 78 Fed. Reg. 3972, 3972-73 (Jan. 17, 2013) (to be codified at 16 C.F.R. pt. 

3 1 2): Identity Theft Red Flags and Address Discrepancies Under Uie Fair and Accurate Credit Transactions Act of 2003, 72 Fed. 
Reg. 63,718. 63,718 (Nov. 9, 2007) (codified at 16 C.F.R. pt. 681). 

ChildrciFs Online Privacy Protection Rule, 64 Fed. Reg. 59,888, 59,889 (Nov. 3, 1999) (codified at 16 C.F.R. pt. 312); 
Identity Theft Red Flags, 72 Fed. Reg. at 63,719. 

Rulemaking is not a panacea. Inflexible rules in a fast-changing environment are problematic. However, the FTC can and 
should provide clear notice on what the law is. Rulemaking is one method to improve such notice. Rules are not inherently bad, 
and a principles-ba-sed data-security legal framework (rather thm a detailed data-security standard) would be one workable 
solution. The FTC has already articulated 36 detailed recommendations in its guidance. FED. TRADE COMM’N, supra n. 70. 
The FTC has also pointed to the NIST and ISO standards for guidmice. Wyndham FTC Response, supra n. 4, at 18. The agency 
holds companies accountable to some or all of these recommendations in some fashion. Id. at 17-19. 

See TechFreedom Brief at 9-10 (noting the ways in which rulemaking is preferable to case-by-case adjudication as a method 
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guidance, incorporate the thinking of additional stakeholders, prevent cynical speculation 
regarding agency decision-making, and lessen enforcement and compliance costs. Further, 
improved notice of a clear rule would likely result in greater compliance,* The FTC has not 
used its existing § 5 rulemaking authority to clarify “unfair” data-security practices because of its 
alleged impracticality.' ' ' The FTC does not believe it would “be possible to set forth the type of 
particularized guidelines” to describe proper data-security safeguards."^ It has stated that “[d]ata 
security industry standards are continually changing in response to evolving threats and new 
vulnerabilities and, as such, are ‘so specialized and varying in nature as to be impossible of 
capture within the boundaries of a general rule.”"'* The FTC has also stated that “industries and 
businesses have a variety of network structures that store or transfer different types of data, and 
reasonable network security will reflect the likelihood that such information will be targeted and, 
if so, the likely method of attack.”"'* 

The FTC’s statements are mystifying for two reasons. First, if the FTC does not believe 
that it can properly define “reasonable,” fair notice of the reasonableness standard seems 
unlikely?"* Second, the FTC seems to have taken the stance that, because technology changes 


of developing agency-enforced law). 

Colin S. Diver, The Optimal Precision of Administrative Rules, 93 YALE L.J. 65, 73, 74 {1983); Brice McAdoo Clagett, 
Informal Action — Adjudication — Rule Making: Some Recent Developments in Federal Administrative Law, 1971 DUKE L.J. 

5 1 , 54-57, 83-84; Bunn et al. No Regulation Without Representation: Would Judicial Enforcement of a Stricter Nondelegation 
Doctrine Limit Administrative Lawmaking?, 1983 WIS. L. REV. 341, 343-44 (1983). 

* See Diver, supra n. 109, at 72, 75. 

' ' ‘ Prepared Statemenl of the Federal Trade Commission on Data Securiiyy supra n. 55, at 1 1 (“[Ejffective consumer protection 
require.s that the Commission be able to promulgate rules in a more timely and efficient manner.”). 

' Wyiidham FTC Response, supra n. 4, at 20. At the same time, the White House and Department of Commerce have seemingly 
articulated an alternative view on prospects for standards development - at least for privacy. “Companies, industry groups, 
privacy advocates, consumer groups, crime victims, academics, intemalional partners. State Attorneys General, Federal civil and 
criminal law enforcement representatives, and other relevant groups” have been called together to develop voluntary, enforceable 
privacy codes of conduct. THE WHITE HOUSE. CONSUMER DATA PRIVACY IN A NETWORKED WORLD: A 
FRAMEWORK FOR PROTECTING PRIVACY AND PROMOTING INNOVATION IN THE GLOBAL DIGITAL 
ECONOMY 7 (2012) [hereinafter WHITE HOUSE PRIVACY BILL OF RIGHTS], available at 
http: //WWW. whiiehouse.gov/sites/default/files/email-files/privacv_white paper.pdf 
'"Id (quoting ffiC V. Ctoety Co/p,, 332 U.S. 194,203(1947)). 

See Chamber of Commerce Brief at 12 (noting that “it is precisely became the appropriate standards are difficult to ascertain 
that businesses cannot be held to a nebulous notion of ‘reasonableness,’ all without any fomtai guidance before they find 
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frequently, drafting regulations would be fruitless. However, drafting flexible, principles-based 
regulations would provide guidance to entities and would still apply as technology changes. The 
concept of drafting laws in an ever-changing world is nothing new. Moreover, the complaints 
that the FTC filed a decade ago look similar to the complaints that the agency is filing today.'"’ 
Therefore, the FTC’s own actions seemingly contradict that regulations would be impractical or 
out of date upon publication. 

FORMAL ADJUDICATION MAY PROVIDE FAIR NOTICE BENEFITS 

A formal adjudicatory process can help provide notice to entities in two ways. When the 
FTC seeks a formal adjudication, the FTC must report its findings of fact. These findings of fact 
would clearly and officially communicate, which data-security practices violate the FTC’s 
interpretation of § 5, This mode of operation is superior to the current complaint and settlement 
process regarding confusion about legal requirements because it puts the FTC on record and may 
create greater predictability for entities subject to enforcement. To be effective, the agency 
would need to articulate its interpretation and rationale which the current investigation- 
complaint-settlement routine does not. Moreover, the FTC or court can publish an opinion, 
which will further enunciate and clarify the FTC’s interpretation. Judicial review also may 
provide authority supporting the interpretation. 

Like rulemaking, this method of clarifying the FTC’s interpretation can provide 
additional benefits, such as improving legal compliance and preventing entities from wasting 


themselves in violation of the law.”). 

' Compare Complaint for Permanent Injunctive and Other Equitable Relief, FTC v. Wash. Data Res., Inc., No. 
8:09-CV'02309-SDM-TBM (M.D. Fla, Nov. 10, 2009), with Complaint for Permanent Injunction and Other Equitable Relief, 
FTC V. SlimAmerica, Inc., No. 0:97-cv-06072-DLG (S.D. Fla. Jan. 24, 1997). 
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resources by attempting to comply with unclear requirements,"’ Nevertheless, adjudication may 
remain less desirable than rulemaking because regulation by adjudication means that nonparties 
may not be able to protect their rights."® In addition, when regulating by adjudication, the public 
cannot directly monitor an agency,"* 

ADVISORY OPINIONS, POLICY STATEMENTS, AND OTHER COMMUNICATIONS 

Policies made through formal rulemaking and adjudications are more definitively 
authoritative and can provide entities with clear notice. Advisory opinions, policy statements, 
analysis appended to proposed consent orders, and other similar communications are less formal 
and authoritative, but possibly more effective than the current complaint and settlement process 
and best practice recommendations, as they can communicate agency reasoning and principles. 

CONCLUSION 

No formal rulemakings or adjudications related to data security have occurred to date, 
and the FTC appears to regulate data security primarily through complaints and consent orders. 
This method creates ambiguity because complaints and consent orders are inconsistent or lack 
additional helpful information. It also is unclear whether nonparties to the investigation should 
attempt to follow the complaint, the consent order, neither, or both, or whether implementing 
some or all of the measures would result in “fair” data security. The FTC’s position that 
“security standards can be enforced in an industry-specific, case-by-case manner”"* provides 
little guidance. This inherent ambiguity poses dangerous and unnecessary compliance risks for 


5t?{? Diver, n. 109,at72, 103. 

' See Ciagett, supra n. 109, at 83. 

'’’See Bunn. n. 109. at 343; Ciagett, supra n. 109, at 56-57 (citing /fo/mer v. MKC. Hous. Aulk. 398 F.2d 262 (2d Cir. 
1968); Hornsby V. Alien, 326 F.2d 605 (5th Cir. 1964)). 

Wyndham FTC Response, supra n. 4, at 22, 
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regulated entities due to the potentially serious penalties that may result from non-compliance. 

The FTC’s existing enforcement and guidance practices also pose serious constitutional 
concerns of providing fair notice. Given the current environment of aggressive enforcement 
against the victims of third-party criminal hacking who operate with no clear guidance what data 
security actions they should take to avoid allegations of unfair and deceptive acts and practices, 
improved authoritative interpretations of § 5 are crucial to improve compliance and provide 
entities with sufficient information to perform proper risk management. 

The FTC has several alternative methods for providing more useful and authoritative 
guidance to entities, but simply stating a vague standard will not improve the situation if it does 
nothing to clarify the underlying uncertainty or to resolve the problem of fair notice, A 
“reasonableness” test absent additional, flexible principles-based authoritative guidelines or 
significant additional court-resolved litigation will remain problematic. As FTC guidance states, 
“[t]here’s no one-size-fits-all approach to data security, and what’s right for you depends on the 
nature of your business and the kind of information you collect from your customers.”'^' In other 
words, data-security standards may differ as a function of the sensitivity of the data collected, the 
amount of data collected, and how the data is collected, used, and disclosed to third parties. 

Using the standards of “reasonable” and “appropriate,” without accounting for the nature of the 
business and the kinds of information that are collected may not ensure that fair notice occurs. 
How'ever, these factors should at least be considered as crucial inputs when determining the data- 
security safeguards an entity should implement. Nonetheless, such additional standards would 
still provide no useful guidance without substantial additional stakeholder participation or the 
reasoned and thorough discussion of the flexible standard in a formal adjudicatory opinion. 


™ FED. TRADE COMM’N, supra n. 70, at 23. 
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policy statement, or advisory opinion. 

Moreover, even if the FTC employed formal rulemaking or adjudication, the 
reasonableness test without explanation as currently relied upon by the agency seems less useful 
in contexts like data security, where the meaning of “reasonable” remains subject to ongoing 
technological evolution and prevailing data-protection preferences. This is evident now as 
society continues to debate the balance of strong privacy protections against the societal benefits 
of the free-flow of information.'”^ And notably, the FTC itself does not seem to consistently 
define what information is “sensitive,” potentially deserving greater protection.'^"* Thus, there 
may be no such thing as “reasonable” privacy and data-security practices until a more 
satisfactory consensus on these issues emerges. 

Given the lack of agreement on what “privacy” is, what data should be protected, and 
what data-security practices should be used to protect that data, any rule based on 
“reasonableness” should also include explanation. Otherwise, the rule is entirely arbitrary, and 
“reasonable” security will be whatever the FTC dictates at that point in time. At any given time, 
an entity would be unable to determine with precision what data-security practices are 
“reasonable,” and whether it could ensure successful compliance with § 5. This situation creates 
due process challenges and a palpable risk of post-hoc rationalization. For all of these reasons 
and those laid out above, the agency continues to have a unique opportunity to take up many of 


WHITE HOUSE PRIVACY BILL OF RIGHTS, supra n. 112, at 5-6. 

In its recent privacy report, “[tjhe Commission defines as sensitive, at a minimum, data about children, financial and health 
information. Social Security numbers, and certain geolocation data . . . .” FED. TRADE COMM’N, supra n. 70, at 47 n. 214. The 
privacy report also lists passwords as sensitive information. Id at 8, 15, 37 n. 17 4, In other guidance, the FTC includes names 
that identify customers or employees as sensitive information. FED. TRADE COMM'H, DOES YOUR ORGANIZATION 
COLLECT AND KEEP SENSITIVE INFORMATION? 1, available athllp:.'/ 

wmv.busimssftc.gov/siles/defauk/files/pdf/btts52.pdf FED. TRADE CO.MM'N, supra n. 70, at 5. A person’s name can hardly 
be considered sensitive persona! information, and the FTC has recently implied that passwords are not sensitive. Press Release, 
Fed. Trade Comm’n, Tracking Software Company Settles FTC Charges that It Deceived Conttumers and Failed to Safeguard 
Sensitive Data It Coliected (Oct. 22, 2012), available at hiip://wwwftc.gffv/opa/2012/!0/compete.shtm. 
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the tools it has at its disposal to address the practical problem that businesses face in being 
unable to determine better what data security measures are required as a matter of law and which 
practices are simply better or best. 
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Chairman ISSA. Mr. Hartzog. 

STATEMENT OF WOODROW HARTZOG 

Mr. Hartzog. Chairman Issa, Ranking Member Cummings, and 
members of the committee, thank you very much for inviting me 
to provide testimony today. My name is Woodrow Hartzog, and I’m 
an associate professor at Samford University’s Cumberland School 
of Law and affiliate scholar at the Center for Internet and Society 
at Stanford Law School. I am testifying today in my personal aca- 
demic capacity, and not on behalf of any entity. 

For the past 2 years, my coauthor, Daniel Solove, and I have re- 
searched the Federal Trade Commission’s regulation of privacy and 
data security breaches, which I will collectively call data protection. 
We have analyzed all 170-plus FTC data protection complaints to 
find trends and understand what the FTC’s data protection juris- 
prudence actually tells us. I would like to make two main points 
regarding what I’ve learned about the FTC’s regulation in this 
area. 

First, the FTC’s regulation of privacy and data security under 
Section 5 has served a vital role in the U.S. system of data protec- 
tion. The FTC’s involvement has given a heavily self-regulatory 
system of data protection necessary legitimacy and heft. The FTC 
also fills significant gaps left by the patchwork of statutes, torts, 
and contracts that make up the U.S. data protection scheme. 

The FTC’s regulation of data protection also helps foster con- 
sumers’ trust in companies. It is very difficult for consumers to de- 
termine whether a company has reasonable data security practices 
or not. The FTC’s regulation of data protection helps give con- 
sumers confidence that their personal information will be safe and 
properly used. 

The second point that I would like to make is that the over- 
whelming pattern that is apparent from the FTC’s data protection 
jurisprudence is that the agency has acted judiciously and consist- 
ently in outlining the contours of impermissible data protection 
practices. Section 5 of the Federal Trade Commission Act generally 
prohibits unfair or deceptive trade practices. This is an inten- 
tionally broad grant of authority. Congress explicitly recognized the 
impossibility of drafting a complete list of unfair, deceptive trade 
practices. Any such list is destined to be quickly outdated or easily 
circumvented. 

Despite this broad grant of authority, the FTC actually brings 
relatively few data security complaints, especially compared to the 
total number of reported data breaches. The Privacy Rights Clear- 
inghouse has reported that since 2005, there have been over 4,300 
data breaches made public, with a total of 868 million records 
breached. Yet the FTC has filed only 55 total data security-related 
complaints, averaging around 5 complaints a year since 2008. In- 
stead of attempting to resolve all of the data breaches, the FTC 
typically pursues only what it considers to be the most egregious 
data security practices. 

The FTC has used a reasonableness standard to determine what 
constitutes an unfair, deceptive data security practice. What con- 
stitutes reasonableness is determined virtually entirely by industry 
standard practices, and is contingent upon the sensitivity and vol- 
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ume of data, the size and complexity of a company, and the costs 
of improving security and reducing vulnerabilities. This deference 
to industry keeps the FTC from creating arbitrary and inconsistent 
data rules. 

The FTC does not pull rules out of thin air. Rather, it looks to 
the data security field and industry to determine fair and reason- 
able practices. Virtually all data security regulatory regimes which 
use a reasonableness approach, of which there are many, not just 
the FTC, have four central requirements in common: identification 
of assets and risks; data-minimization procedures; administrative, 
technical and physical safeguards; and data breach response plans. 
The details of these requirements are filled in by industry frame- 
works, accessible resources online, and a vast network of privacy 
professionals and technologists dedicated to helping companies of 
all sizes understand their data protection obligations. 

Of course there is always room for improvement with any regu- 
latory agency, but diminishing FTC power will probably not ulti- 
mately make the climate easier for business. In fact, given the vital 
importance of data protection in commerce, a reduction in FTC au- 
thority would likely result in the passage of more restrictive and 
possibly conflicting State laws regarding data security, more ac- 
tions by State attorneys general, more lawsuits from private liti- 
gants, and more clashes with the European Union over the legit- 
imacy of U.S. privacy law. In the long run, a weakened FTC would 
likely result in a more complicated and less industry-friendly regu- 
latory environment. 

Data protection is a complex and dynamic area for consumers, 
companies, and regulators. Section 5 enables the FTC to be adapt- 
ive and serve as a stabilizing force for consumers and companies. 
Thank you very much. 

Chairman ISSA. Thank you. 

[Prepared statement of Mr. Hartzog follows:] 
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Testimony of Woodrow Hartzog “The FTC and Its Section 5 Authority” 


I. INTRODUCTION 

Chairman Issa, Ranking Member Cummings, and Members of the Committee, thank you 
for inviting me to appear before you and provide testimony. My name is Woodrow 
Hartzog and I am an associate professor of law at Samford University’s Cumberland 
School of Law and an affiliate scholar at the Center for Internet and Society at Stanford 
Law School. I write extensively about information privacy law issues and have published 
well over a dozen law review articles and other scholarly works. Most relevant to this 
hearing, I, along with my co-author Professor Daniel J. Solove, have spent the last two 
years researching the Federal Trade Commission’s regulation of privacy and data security 
issues, which I will collectively refer to as “data protection.” In a series of articles, we 
have analyzed all 170+ FTC data protection complaints to find trends and understand the 
FTC’s data protection jurisprudence.' My comments today will address what I’ve learned 
from this research. 

I will focus my remarks on the FTC’s work on data security and consumer privacy, and 
especially the scope of the FTC’s authority to regulate data protection under Section 5 of 
the FTC Act. 1 will not address the specifics of any particular privacy or data security 
dispute. These comments are made in my personal, academic capacity. I am not serving 
as an advocate for any particular organization. My remarks will focus on two points. 

First, I will discuss why the FTC’s regulation of privacy and data security under Section 
5 has served a critical function for the US system of data protection. Far from being an 
overall burden to industry, the FTC’s involvement in data protection has given the 
heavily self-regulatory system of data protection necessary legitimacy and heft. 
Diminished FTC data protection authority would threaten the existence the U.S.-E.U. 

Safe Harbor which governs the international exchange of personal information. No other 
regulator has the same ability to enforce necessary yet quickly evolving protections like 
data security. 

Second, I will discuss the scope and administration of the FTC’s Section 5 authority. I 
have spent a considerable amount of time analyzing the entire body of FTC activity on 
data protection. Overall, the overwhelming pattern is that the FTC has acted 
conservatively, judiciously, and consistently. Given the ever increasing volume of data 
and accompanying risk of the information age, the role of the FTC in data protection 
seems both important and a natural consequence of the agency’s charge to protect 
consumers. 


' Daniel J. Solove & Woodrow Hartzog, The FTC and the New Common Law of Privacy, 114 COLUM. L. 
Rev. 583 (2014), available at http ://ssrn.com/ab.stract=23 12913 : Woodrow Hartzog & Daniel J. Solove, 
The Scope and Potential of FTC Data Protection, 83 Geo. Wash. L. Rev. (forthcoming 2015), available at 
http:/yssrn.com/abstract=2461096 : Daniel J. Solove & Woodrow Hartzog, The FTC and Privacy and 
Security Duties for the Cloud, 13 BNA PRIVACY & Security Law Report 577 (2014), available at 
hltp://ssrn.com/abstract=2424998 ; Woodrow Hartzog & Daniel J. Solove, The FTC as Data Security 
Regulator: FTC v. Wyndham and its Implications, 13 BNA Privacy & Security Law Report 621 (2014), 
http://docs.law.gwu.edU/facvveb/dsolove/nie.s/BNA%20FTC%20v%20Wvndham%20FlNAL.pdf . 
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n. Section 5 is the Lynchpin of U.S. Data Protection Law 

The most important grant of authority to the FTC in protecting consumers’ personal 
information comes from Section 5 of the Federal Trade Commission Act. Under this 
statute, “unfair or deceptive acts or practices in or affecting commerce, are hereby 
declared unlawful.”^ The FTC first began to regulate data protection online in the 1990s 
by focusing on promises companies voluntarily made in their privacy policies. When 
companies later failed to live up to these promises, the FTC claimed that this was a 
deceptive trade practice. 

In this way, the FTC used the predominantly self-regulatory approach to privacy and data 
security as its foundation to build a foothold in the area of data protection. Over time, the 
FTC expanded beyond enforcing privacy policies to a broader conception of deception, 
one that did not rely only on explicit promises made. The FTC also began to exercise its 
power to police unfair trade practices. 

Today, the FTC has evolved into the most important data protection agency in the United 
States. The FTC plays two critical roles within the U.S. data protection ecosystem. It fills 
significant gaps left by the patchwork of statutes, torts, and contracts that make up the 
U.S. data protection scheme. The FTC also stabilizes the volatile and rapidly evolving 
area of data protection and provides legitimacy for the largely sectoral U.S. approach to 
data protection. 

A. Filling Critical Gaps 

In the current U.S. privacy regulatory system, the FTC has grown into the key lynchpin 
giving coherence to a partly self-regulatory system supported by a loose patchwork of 
data protection laws at the federal and state level. Unlike many other countries, in the 
U.S. there are a multitude of different laws regulating different industries rather than just 
one general law to regulate all collection and use of personal data. 

Particular sectoral laws often leave gaps where entire industries lack privacy regulation. 
For example, there is no federal law that explicitly mandates data security for all online 
commerce. Without the FTC, some collections and uses of data would be unregulated. 
Through Section 5, the FTC sets a floor for commercial activity that otherwise cannot be 
practically regulated by consumers through contract, tort, or reputation. 

Concerned about consumer concerns and trust, in the late 1990s online companies began 
voluntarily making promises about data protection in privacy policies. Initially, the FTC 
began enforcing these promises made in privacy policies, giving the promises a stronger 
backbone. The FTC’s broad range of coverage spanned countless industries, thus 
plastering over the large gaps and crevices left in between sectoral laws. The FTC also 
brought a thin layer of coherence to the whole system, and this coherence has gradually 
thickened over the years. 


^ 15 ll.S.C.§ 45(a)(1). 
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The FTC currently remains a key lynchpin in the U.S. data protection regulatory regime. 
Self-regulation still plays a big role, with industry serving as the primary generator of 
best practice norms. Far from being externally imposed, the norms that the FTC has 
enforced have been developed by industry as well as consumer expectations. Instead of 
imposing top-down rules all at once, the FTC has integrated itself into a largely self- 
regulatory approach and gradually developed it into a more robust regulatory system. 

B. The Stabilizing Function of the FTC 

The FTC also stabilizes and legitimizes the U.S. approach to data protection. For 
example, the FTC plays a pivotal role in international confidence regarding privacy in the 
United States. The FTC is an essential component of the Safe Harbor Arrangement, 
which allows personal data to flow between the United States and European Union.^ 
Without the FTC’s data protection enforcement authority, the E.U. Safe Harbor 
agreement and other arrangements that govern the international exchange of personal 
information would be in jeopardy. 

With so many different sources of law and regulation in the United States, the FTC can 
also play a harmonizing role. The broad scope of Section 5, which allows the FTC to 
respond to many different kinds of threats to data protection, can obviate the need for 
new laws. Section 5 ensures fewer gaps and fewer needs of states to protect their citizens 
in possibly very conflicting and burdensome ways. The FTC’s power is broad enough to 
develop over time a more coherent and comprehensive body of regulatory activity. 

III. The Scope and Administration of the FTC’s Authority Under Section 5 

The FTC’s most important tool for protecting the data of consumers is its grant of 
authority to regulate unfair and deceptive trade practices under Section 5. Congress 
granted the FTC the authority to interpret the nature of deceptive practices, which the 
agency summarized in a 1983 policy statement: A deceptive trade practice is a 
“misrepresentation, omission or other practice, that misleads the consumer acting 
reasonably in the circumstances, to the consumer’s detriment.”'* Unfair trade practices are 
defined by statute as a practice that “causes or is likely to cause substantial injury to 
consumers which is not reasonably avoidable by consumers themselves and not 
outweighed by countervailing benefits to consumers or to competition.”^ This broad 


’ See, e.g., Commission Decision 2000/520/EC, 2000 O.J. (L 215) 7, 26-30 (discussing FTC enforcement 
authority): Issuance of Safe Harbor Principles and Transmission to European Commission, 65 Fed. Reg. 
45,666 (July 24, 2000) (same); IntT Trade Admin., U.S. Dep’t of Commerce, U,S.-EU Safe Harbor 
Overview, Export.gov, http://www,export,gov/safeharbor/eu/eg_main_018476,asp_ (“Under the Federal 
Trade Commission Act, for example, an organization’s failure to abide by commitments to implement the 
Safe Harbor Privacy Principles might be considered deceptive and actionable by the Federal Trade 
Commission.”). 

■* Letter from James C. Miller III, Chairman, FTC, to Hon. John D. Dingell, Chairman, House Comm, on 
Energy & Commerce (Oct. 14, 1983) , reprinted in In re Cliffdale Assocs., Inc., 103 F.T.C. 1 10 app. at 
175-84 (1984) (decision & order), 

^ 15 U.S.C. § 45(n) (2012). 
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grant of authority was designed precisely to avoid restrictive categories of practices 
which are unfair or deceptive.*’ 

A. The Intentionally Broad Scope of Section 5 

Other than the limitations inherent in the conceptualizations above, Congress has been 
explicit in eschewing hard boundary lines for what constitutes unfair and deceptive trade 
practices. 

The scope of the FTC’s deceptiveness jurisdiction has included broken promises of 
privacy and data security, deceptive actions to induce the disclosure of information, and 
failure to give sufficient notice of privacy invasive practices. Although the requirement 
that a deception be material to consumers constrains the scope of FTC enforcement 
power, misrepresentations can be made in virtually any context, including boilerplate 
policies, marketing materials, and even the design of websites. 

The FTC’s unfairness authority is also comprehensive. According to the FTC, “The 
present understanding of the unfairness standard is the result of an evolutionary process. 
The statute was deliberately framed in general terms since Congress recognized the 
impossibility of drafting a complete list of unfair trade practices that would not quickly 
become outdated or leave loopholes for easy evasion.”’ 

B. A Conservative, Judicious, and Consistent Approach 

A review of every FTC complaint related to data protection reveals that the agency has 
acted in a conservative way. The FTC’s data security program began under the direction 
of then-Chairman Timothy Muris and has continued, without any major course change, 
under the stewardship of Chairwoman Deborah Majoras, Chairman William Kovacic, 
Chairman Leibowitz, and now Chairwoman Ramirez. 

The FTC actually brings a relatively very small number of data security complaints. 
Compared to the number of total reported data breaches, the likelihood that a company 
will be subject to a FTC enforcement action is quite low. The Privacy Rights 
Clearinghouse has reported that since 2005 there have been over 4300 data breaches 
made public with a total of over 868 million records breached.* Yet the FTC has filed 
only 55 total data security-related complaints, averaging around five complaints a year 
since 2008.’ 


*’ See H.R. Conf. Rep. No. 1 142, 63d Cong., 2d Sess., at 19 (1914) (finding that, regarding unfairness, if 
Congress "were to adopt the method of definition, it would undertake an endless task"). 

’ FTC Policy Statement on Unfairness, Appended to International Harvester Co., 104 F.T.C. 949, 1070 
(1984). See 15 U.S.C. § 45(n), See also Chris Hoofnagle, Federal Trade Commission Privacy Law 
AND Policy (forthcoming 2015). 

* Privacy Rights Clearinghouse, Chronology of Data Breaches: Security Breaches 2005 - Present, 
https://www.privacvrights.org/data-breach . 

’ Federal Trade Commission, legal Resources: Privacy and Security, http://www.business.ftc.gov/legal- 
rcsources/29/35 . 
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Instead, the FTC typically pursues only what it considers to be egregious data security 
practices. Each data security complaint includes a litany of alleged security failures, 
including failures to identify assess and risk, failures to minimize the storage of data, and 
failures to implement reasonable administrative, technical, and physical safeguards. The 
FTC has remained notably consistent as it gradually develops its data security 
jurisprudence in incremental steps. 

C. The Wide Consensus of Reasonableness-based Data Security Requirements 

The FTC generally prohibits unreasonable data security practices “in light of the 
sensitivity and volume of consumer information it holds, the size and complexity of its 
business, and the cost of available tools to improve security and reduce vulnerabilities.”'® 

What constitutes reasonable data security is determined virtually entirely by industry 
standard practices. This deference to industry keeps the FTC from promulgating data 
security rules in an arbitrary and inconsistent way. The FTC does not pull rules out of 
thin air. Rather, it builds upon the formidable and evolving body of knowledge in the data 
security field as well as the commonly implemented data security practices of companies 
to determine when custodians of personal information are engaging in unfair and 
deceptive data security practices. 

A reasonableness standard is already one the most established and proven touchstones for 
regulating data security. Almost ten states require reasonable data security practices, 
rather than a specific list of prohibited or mandatory actions." Congress has also 
explicitly embraced a reasonableness approach to data security. The Fair Credit 
Reporting Act (FCRA),"^ the Health Insurance Portability and Accountability Act 
(HIPAA),''* and the Gramm-Leach-Bliley Act (GLBA)''* all use reasonableness as a 
touchstone for determining the adequacy of data security measures. 

Unfortunately, it is not possible to provide a “one size fits all” detailed checklist of 
reasonable data security practices. A determination of reasonable data security is far too 
dependent upon context. Yet a comparison of data security regulatory regimes that use a 
reasonableness standard shows that there are four central components of a reasonable 
approach to data security: 

1) Identification of assets and risk 

2) Data minimization 

3) Administrative, technical and physical safeguards 

4) Data breach response plans 


Federal Trade Commission, Commission Statement Marking the FTC 's 50th Data Security Settlement 
(January 31, 2014) htto://www.ftc.gov/sv.stem/files/documents/cases/l40131gmr.statement.pdf . 

' ' See Woodrow Hartzog & Daniel J. Solove, The Scope and Potential of FTC Data Protection, 83 Geo. 
Wash. L. Rev. (forthcoming 20 1 5) at fns 80-83, available at http://ssrn.coiTi/abstract=246 1 096 . 

16 C.F.R. § 682.3(a). 

” 45 C.F.R. §§ 164.308-.314. 

16 C.F.R. §§314.3-314.4. 
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Various frameworks exist to provide further detail for those operating in certain contexts, 
such as the framework and standards offered by the National Institute of Standards and 
Technology (NIST)‘^ and the Payment Card Industry (PCI) Security Standards Council.'*’ 

Additionally, ample resources exist for companies looking for guidance on reasonable 
data security practices, many of which are free and easily accessed online. The Federal 
Trade Commission actively updates its resources on data security."' Scholarly articles, 
trade publications, and other sources of information are also readily available.'* 

A robust support system exists for companies seeking to provide reasonable data 
protection for consumers. There is a vast network of privacy professionals dedicated to 
helping companies understand their obligations under certain privacy regimes like the 
FTC. Technologists and other consultants can help companies of all sizes. These 
counselors have a nuanced understanding of data protection and the significance of the 
FTC complaints and are able to rely on the FTC’s guidance as well as industry standards 
to competently advise their clients. 


IV. Conclusion 

Section 5 of the FTC Act has empowered the Federal Trade Commission to serve a 
central role in protecting consumer information. Just as importantly, the FTC’s data 
protection jurisprudence helps create and sustain consumer trust in companies that collect 
and store consumers’ personal information. It is very difficult for consumers to determine 
whether a company collecting their personal information has reasonable data security 
practices. This opacity decreases the incentive for companies to spend the resources 
necessary to establish reasonable data protection. The FTC’s regulation of data protection 
under Section 5 allows consumers to transact with companies with greater confidence 
that their personal information will be safe and properly used. 

Of course, as with any agency, there is always room for improvement of FTC 
enforcement. More detailed complaints and closing letters from investigations that do not 
result in a complaint are quite helpful to other companies and, to the extent that they are 
productive and feasible, should be encouraged. But the agency’s power should be 
expanded rather than contracted. Diminishing FTC power will not ultimately make the 
climate easier for business. In fact, given the vital importance of data protection in 
commerce, a reduction in FTC authority would likely result in the passage of more 


' * National Institute of Standards and Technology, Framework for Improving Critical 
Infrastructure Cybersecurity, httD://www.nist.gQv/cvberfraniework/upload/cvbersecuritv-framewQrk- 
021214.odf . 

PCI SSC Data Security Standards Overview, htlps://w\vw.pcisecuritvstandards.ore/securitv standards/ . 
Federal Tflvde Commission, Legal Resources: Privacy and Security, 
htlD://wwvv.business.ftc.gov/legal-resources/8/'35 . 

See. e.g. Joel Reidenberg, N. Cameron Russell, Alexander Callen, and Sophia Qasir, Privacy 
Enforcement Actions, CENTER ON Law AND INFORMATION POLICY (June 2014), 

http://lavv.rordham.edu/assets/CLIP/CLlP Privacy Case Report - FINAL. pdf : Travis D. Breaux & David 
Baumer, Legally "Reasonable " Security Requirements: A lO-year FTC Retrospective, 30 COMP. & 
Security 178 (2011). http://vvwvv.cs.cmu.edu/~./breaux.iDublications/tdbreaux-cosel0.pdf . 
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restrictive and conflicting state laws, more actions by state attorneys general, more 
lawsuits from private litigants, and more clashes with the E.U. concerning the overall 
strength of U.S. privacy law. In the long run, a weakened FTC would likely result in a 
more complicated and less industry-friendly regulatory environment. 

Data protection is a complex and dynamic area. Section 5 enables the FTC to be adaptive 
and serve as a stabilizing force for consumers and companies. 
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Chairman ISSA. I will now recognize myself for a round of ques- 
tioning. 

Mr. Daugherty, there was an allegation by Tiversa that there 
was a data breach. Have you seen ever any indication, collateral 
indication, that that breach went to third parties that resulted in 
any use of the identity information? Any? 

Mr. Daugherty. Thank you. Chairman Issa. 

As a matter of fact, no, sir, we have not. 

Chairman IsSA. Okay. Mr. Roesler, same thing. You put up with 
years of a lawsuit. Did any of the complainants have any dem- 
onstrated information that their identifiable information had actu- 
ally gone somewhere, or just that there was a vulnerability? 

Mr. Roesler. To my knowledge, there is none. 

Chairman IssA. Now, if there was a breach, meaning it was 
taken — you had what was it, 184 records that were alleged? Mr. 
Daugherty, you had thousands? 

Mr. Daugherty. Correct. Nine thousand. 

Chairman IssA. I’ve heard an expression that I’d like to see if 
you all agree with. If you have thousands of records, whether it is 
184 in your case or many, many thousands, if they have actually 
gone out to third parties somewhere, they’ve, in other words, mined 
them, doesn’t it defy gravity that none of them have led to any use 
of that information in either of your cases? 

Mr. Daugherty. Yes, Chairman Issa, I would agree with that. 

Chairman IssA. Okay. So I’m not a student of statistics, but I 
had to take it in college. I certainly agree. 

So the allegation that you’re facing is that you had a vulner- 
ability, not an actual breach in reality, because a breach would 
demonstrate some use. What they really said was, Mr. Roesler, you 
didn’t protect your site, you didn’t have a good enough lock on your 
site; is that correct? 

Mr. Roesler. I believe so, yes. 

Chairman IsSA. Mr. Daugherty, same thing. Your lock wasn’t 
good enough. 

Mr. Daugherty. That’s correct, sir. 

Chairman IsSA. Now, the American people may not understand 
cybersecurity at this point, but they understand the padlock on 
their front door, their garage door opener. And I just want to put 
it in perspective for a moment. 

Ninety percent of the garage door openers made before the year 
2000, a product that simply takes the chip and sequentially goes 
through the combinations, will open every one of those garage 
doors. Before 2000, the vast majority of garage doors, simply you 
had to go through anywhere from 250 to a few thousand combina- 
tions, and eventually your garage door would open. People haven’t 
gone back and changed their garage doors. Unless you have a 
Medeco key or a number of other very high-security keys, if you 
have a typical key, it can be picked by any locksmith. 

So are these people leaving a vulnerability? Maybe yes, maybe 
no. But I want to put it in perspective for both of you. 

The allegation, as I understand it from previous testimony before 
this committee, is effectively one of your employees may have in- 
stalled a program that was sort of the equivalent of putting a little 
bit of bubble gum in the door latch so that the door didn’t really 
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lock, and there was a vulnerability. In both cases, as far as I un- 
derstand, there was no allegation that you instructed the employee 
to do it, or that you did it, or that it was done with your knowl- 
edge. And, Mr. Roesler, I understand in your case you never found 
the alleged peer-to-peer; is that correct? 

Mr. Roesler. That’s correct. And I don’t know that the allega- 
tions were ever about an employee. Simply that a file that Open 
Door had created had gotten out. 

Chairman ISSA. Right. But a file that was never found except in 
the hands of Tiversa. 

Mr. Daugherty. Same. As a matter of fact, if you look at the 
FTC’s press release announcing the litigation, they never used the 
word “breach.” That’s correct, sir. 

Chairman IssA. So we’re not talking about a loss of data, we’re 
talking about the vulnerability, the same vulnerability that every 
time a notebook like this or a computer notebook walks out of a 
government office with personal information on it, like it did in the 
case of the famous VA one where somebody simply left their note- 
book, and a million veterans’ identifiable information was there, it’s 
a vulnerability. If it actually occurs, it occurs because of a human 
failure in most cases, not because of an inherent system failure. 

Mr. Daugherty, you were running a dotcom. Did you have profes- 
sional advice and counsel, and did you buy software to protect 
against this type of thing? 

Mr. Daugherty. We ran a medical laboratory. 

Chairman IsSA. But, I mean, you had an online presence. 

Mr. Daugherty. We had an online presence. 

Chairman IsSA. Mr. Roesler, same thing. From your testimony, 
you engaged professional outside people to give you security. 

Mr. Roesler. That’s correct. 

Chairman IssA. So you used what you would consider and still 
consider to be maybe not best practices, but the best practices you 
knew of and could afford, right? 

Mr. Roesler. Yes. 

Chairman IssA. We were told under oath by Mr. Boback twice 
that, in fact, deceptive software was what they went out looking for 
and found these breaches. And I just want to close by asking just 
one question. 

Mr. Roesler — and I keep mispronouncing it. 

Mr. Roesler. It’s Roesler. 

Chairman IssA. Roesler. Mr. Roesler, in your case you had a kind 
of a unique thing that I want to make sure you get a chance to ex- 
plain to us. A company, Tiversa, in Pittsburgh, more or less, con- 
tacts you. Coincidentally a plaintiffs law firm in Pittsburgh, Penn- 
sylvania, as I understand it, forms a class-action lawsuit and goes 
after you, and has the information to contact those very people who 
they told you you had this breach. So the law firm has the name 
of all your clients; is that right? 

Mr. Roesler. That’s exactly right. 

Chairman IsSA. And they didn’t get it from you. So in your case 
you do have a breach. You know that somebody clandestinely got 
your clients’, your AIDS patients’ information, gave it to a law firm 
who then used it — and I ask unanimous consent that the sample — 
we’ll get it here in a second — letter that that law firm sent out to 
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every one of your patients — this is called Serrano and Associates — 
and it says right on the bottom, this is a solicitation to provide 
legal services. And is this a copy for the ranking member? I’ll give 
a copy to the ranking member. You have seen that solicitation? 

Mr. Roesler. Indeed. 

Chairman IssA. So I just want to make sure for the record that 
both sides understand. Tiversa contacts you and says there’s been 
a vulnerability, offers you to sell you the services for nearly $500 
an hour. You turn them down after talking to your professionals, 
find no vulnerability. But then a law firm has the very information 
they were talking about, which obviously was gleaned somewhere, 
and probably off of your servers or your drives. They — then it gets 
somehow to a law firm, coincidentally in Pittsburgh, who then goes 
about creating a plaintiffs — a class-action suit, contacts your pa- 
tients, who in no other way were contacted except by this law firm, 
and proceeds to sue you for years. 

Mr. Roesler. That is my perspective. 

Chairman IsSA. Okay. I now recognize the ranking member. 

Mr. Cummings. Mr. Chairman, to indulge us before I ask my 
questions, I would ask for just 1 minute to clarify a point for the 
record with unanimous consent with regard to some statements 
you made in your opening statement. May I? 

Chairman IssA. Go ahead. 

Mr. Cummings. Thank you very much. 

The chairman made some points in his opening statement about 
the potential immunity for a witness, and I take this moment be- 
cause, Mr. Chairman, everybody on both sides of the aisle care tre- 
mendously about whistleblowers. There is not one person on this. 
Republican or Democrat, and our record has shown that. 

You said that the Democrats have been unwilling to consider im- 
munity. That’s not accurate. We have said consistently and repeat- 
edly that we are willing to consider immunity. We participated in 
the proffer. We viewed the video, as well as many documents. At 
this stage the committee has not identified evidence that would 
substantiate or corroborate the allegations of this witness against 
other individuals. 

The chairman also said that we have sought out negative infor- 
mation about this witness in an effort to discredit him. That’s not 
true. The information came to us from the CEO of Tiversa’s attor- 
ney about criminal activity. Once we found out about that, we 
wanted to know more about it. I mean, that’s just logical. 

Chairman IsSA. I thank the ranking member, and I would say 
that this is perhaps outside the scope of this hearing. I would also 
note 

Mr. Cummings. But you just made these allegations against us. 
It’s in the scope of the hearing because you put it in there. 

Chairman IsSA. You asked unanimous consent. I granted it. The 
fact is that my opinion in the opening statement will stand. 

I will say for the record, since you just said it, too, the fact is 
your committee members have refused — even sitting here in the 
House of Representatives, even inside a building with total secu- 
rity, they have refused to meet with the whistleblower, claiming 
that based on the allegations of Mr. Boback and his attorney, that 
they are too afraid to, men and women. So quite frankly, you can 
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have your opinion — ^you can have your opinion, Mr. Ranking Mem- 
ber, I will have mine. 

Mr. Cummings. Very well. I will continue my 5 minutes then. 

Chairman ISSA. I will start your 5 minutes over in a moment. 

Mr. Cummings. Okay. 

Chairman IsSA. I have invited in my opening statement, and 
with indulgence of the witnesses, all Members to look at the video 
proffer, and all members of this committee to have access directly 
to the whistleblower for purposes of continuing the proffer. 

I made it clear in my opening statement — and I will reiterate it 
because I think the ranking member’s point is good — serious alle- 
gations about the personal life of the witness have come forward. 
But, again, as I said in my opening statement, allegations do not 
go to the direct claims of the whistleblower as to the facts that he 
said in his proffer had occurred. 

So is the whistleblower claiming he did no wrong? Just the oppo- 
site. The whistleblower has come forward with a proffer, because, 
in fact, if he makes that testimony, he will do so at the risk of pros- 
ecution. The whistleblower has already taken the Fifth in another 
venue, and, as a result, qualifies for the question. 

Now, in the Lois Lerner case, Mr. Cummings, we had a witness 
who you kept saying you wanted immunity for, but she only said 
she was innocent. In this case we have an individual 

Mr. Cummings. There you go again. 

Chairman IsSA. This individual, this individual came forward 
and said wrongdoing occurred. It has led to today’s hearing. And 
I simply, in my opening, asked all Members to take the time to 
look at the information individually, because I do believe that to 
get a full understanding and cross-dialogue — because everything 
that is brought out by our whistleblower is subject to, in fact, credi- 
bility check as to the facts brought — but that dialogue will not be 
possible unless the whistleblower is granted the limited immunity 
as to exactly what, and only what, he came forward with as allega- 
tions against Tiversa, and, as a result, the FTC and perhaps false 
statements made before this committee. 

It is a serious claim, I take it seriously, and I ask all Members 
to individually look at it. Mr. Cummings, most Members have 
never seen any of it, and that’s why I was making it available 
today in open hearing to look at it and make their own decisions. 

And I thank the gentleman. Please restore his time to 5 minutes. 

Mr. Cummings. Thank you, Mr. Chairman. 

The chairman also said we had sought out negative information 
about this witness in an effort to discredit him. That is not true. 
The witness has engaged in numerous criminal activities that go 
to credibility, and he failed to disclose to the committee during his 
proffer, he failed to disclose them. And some of these activities 
were occurring at the same time that we were speaking with the — 
that he was speaking with the committee. 

Generally, I believe the committee should grant immunity to wit- 
nesses who have admitted to engaging in criminal conduct only in 
rare circumstances when those witnesses provide concrete evidence 
of criminal activity by others. I appreciate the goal of rewarding 
whistleblowers who come forward voluntarily to identify waste, 
fraud, and abuse, and we have a record of that. But I do not believe 
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that immunity is a proper reward when individuals provide evi- 
dence relating only to their own wrongdoing. 

Although we remain open — and I say, I want to be clear — al- 
though we remain open to considering immunity should additional 
evidence emerge, we cannot responsibly support immunity at this 
time. 

Now, according to the Republican memo for today’s hearing, one 
of the main topics is, “whether the FTC has the authority to pursue 
data-security enforcement actions under its current Section 5 au- 
thority.” So let’s ask our witnesses. 

Mr. Stegmaier, you have written extensively on this topic. In one 
article, you wrote, “The agency is the Federal Government’s largest 
consumer protection agency. The Commission routinely inves- 
tigates publicly reported data-related incidents with the threat of 
subsequent litigation. Since 2000, the FTC has brought 42 data-se- 
curity cases.” 

Mr. Stegmaier, with respect to the hearing question today, I take 
it from your writings that you agree that the FTC has the author- 
ity to bring enforcement actions under Section 5 to protect the data 
security of consumers; is that right? 

Mr. Stegmaier. Mr. Cummings, thank you. That is actually a 
really great question, and I appreciate the way that you have pre- 
sented it. 

At the outset, let me just note that I come before the committee 
today with the understanding that the committee sought my exper- 
tise and understanding specifically about fair notice and due proc- 
ess concerns. 

Whether or not the agency has jurisdiction is actually, ironically, 
something that Congress has given the agency incredible deference 
to determine in and on its own, and it’s actually subject to a num- 
ber of pending lawsuits and litigation. 

So the answer to your question, I think, is that the agency abso- 
lutely believes that it has such jurisdiction, but that answer to that 
question hasn’t been definitively resolved. And, historically, under 
caselaw, the agency would receive such deference. 

But my focus is more on whether or not people who are going to 
be subject to that deference, whatever the ultimate outcome may 
be, have fair notice about what the law requires of them. 

Mr. Cummings. Mr. Hartzog, you have also written extensively 
on the FTC’s work on data security, so let me ask your expert opin- 
ion. Does the FTC have the authority to bring data-security actions 
under Section 5? 

And one of the things that we should all be concerned about is 
a chilling effect. And I just wanted you to respond to that. 

Mr. Hartzog. Sure. I think that, yes, the FTC does have the au- 
thority under Section 5 to regulate data-security practices. If you 
look at the plain wording of Section 5, it is intentionally quite 
broad. There are limitations, so, you know, there are limits as to 
what constitutes an unfair practice and a deceptive trade practice. 
But, certainly, you know, given the heft of both the opinion, the re- 
cent opinion, in the Wyndham decision and the FTC’s practice gen- 
erally in the way that we interpret statutes, the FTC has the au- 
thority to regulate data security. 
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With respect to chilling effects, I think that the FTC has pro- 
ceeded in a pretty judicious and conservative manner with respect 
to the regulation of data security, and so it is not like there has 
heen a dramatic lurch forward. As a matter of fact, they have been 
inching along through several different Presidential administra- 
tions basically along the exact same course with no appreciable dif- 
ference. And so I think that the body of jurisprudence is actually 
sound in that regard. 

Mr. Cummings. Professor, can you describe why it is important 
for the FTC to exercise its authority over data-security breaches? 

Mr. Hartzog. Sure. There are several reasons. One is it gives 
the U.S. system of data protection legitimacy and heft. So many, 
for example, international agreements, like the EU-U.S. Safe Har- 
bor Agreement, is contingent upon the FTC being able to regulate 
data security, particularly now that there are questions about the 
strength of the U.S. data-protection program. 

Also, the U.S. system of regulating privacy is done in a patch- 
work manner, so there is no one great law that regulates data se- 
curity across the United States. And what that does is it leaves a 
number of different gaps. And the only statutes that really — the 
only avenue by which we can provide a baseline of data protection 
in the United States right now is Section 5 of the FTC Act. 

And so Section 5 helps harmonize a lot of data-security practices, 
and it also has been consistent with a lot of other data-security reg- 
ulatory regimes. 

Mr. Cummings. You heard the testimony of Mr. Daugherty and 
Mr. Roesler — ^by the way, gentlemen, I am sorry that you have gone 
through what you have gone through. I spent my life representing 
people who were not properly — they were improperly accused. 

But you heard their testimony. I was just wanting to get your re- 
action to that. It seems as if there is a question — and Mr. 
Stegmaier talked about this a bit — as to charging folks. The way 
that folks are charged, they use data that — I think, Mr. Stegmaier, 
you would agree with this, based upon what you just said — that 
might you consider unfair charging. Would that be a fair state- 
ment? 

Mr. Stegmaier. I am not sure I understood 

Mr. Cummings. Okay. 

Mr. Stegmaier. — precisely the question, sir. 

Mr. Cummings. But you understand what I am saying, right, Mr. 
Hartzog? 

Mr. Hartzog. So I think that the allegations that have been 
brought up are that there is not enough notice given to companies 
and that they are expected to follow rules that they say they don’t 
know what they are. 

The answer that I would give to that is that the FTC uses a rea- 
sonableness test, and a reasonableness test for regulating data se- 
curity is the most common way, if you look across regulatory re- 
gimes, to regulate data security. So the Gramm-Leach-Bliley Act 
and HIPAA and many State regimes, all of them use a reasonable- 
ness test. 

And the way that you execute a reasonableness test is you defer 
to some other existing body of standards, right? And so, in this 
case, it is a complete deference to industry standards. The FTC ac- 
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tually doesn’t create the standard at all. Rather, they say, what is 
industry doing? And there is a whole body of study, so there are 
whole industries and fields of study dedicated to what makes not 
just cutting-edge data security but just industry-standard data se- 
curity and best practices. And that is what the FTC says you 
should look to to determine what the baseline is. 

And so the FTC actually isn’t unique in its regulatory approach. 
There are States and other statutory schemes that utilize very 
similar approaches. 

Mr. Cummings. Thank you very much, Mr. Chairman. 

Mr. Daugherty. Can you explain to me, then, why the HIPAA 
and HHS is not coming after LabMD? 

Mr. Hartzog. I am sorry? 

Mr. Daugherty. Can you please explain then, if you are talking 
about industry standards — we are a medical facility. We are under 
HHS and HIPAA. They have not come after LabMD or cited any- 
thing. 

Mr. Hartzog. Well, I actually can’t speculate as to why. There 
are lots of different reasons why claims are brought or not brought. 

Chairman IssA. It is a good question, but we probably won’t have 
any more between witnesses 

Mr. Daugherty. Sorry. 

Chairman IsSA. — if you don’t mind. 

But I do want to clarify just two things very, very quickly. You 
said a body of jurisprudence. That would imply that there has been 
decisions at the district and then the appellate court. Are there 
any? 

Mr. Hartzog. Well, we do have a decision at the district-court 
level in the Wyndham case, but, actually, jurisprudence can come 
from a number of different sources. And primarily, in the case of 
the FTC, it comes from the complaints that they filed. 

Chairman IssA. Okay. So the consent decrees are a body of juris- 
prudence where they sue and settle, and you are calling that a 
body of jurisprudence. I just wanted to make sure that is what you 
were talking about. 

Mr. Hartzog. Well, not the consent decrees, but rather the com- 
plaints that indicate what the FTC considers to be an unfair and 
deceptive trade practice. 

Chairman IsSA. Okay. 

And only one more quick one for Mr. Daugherty and Mr. Roesler. 

Were you given any safe haven or guidance by the FTC as to how 
you could, in fact, not fall under unfair practices at any time from 
the beginning until today, those so-called standards that Mr. 
Hartzog has said exist? 

Mr. Daugherty. Well, sir, thank you for that question. Chair- 
man Issa. 

No. As a matter of fact, I stated, and as further indicated in my 
written testimony, quite to the contrary. In briefs and in quotations 
from the FTC, they argue they don’t need to promulgate rules or 
inform us of standards. And even their experts said that we should 
Google them. 

And this is just not a way to regulate an American industry and 
economy, let alone the world of medicine. 

Mr. Roesler. My response would be that 
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Chairman IssA. Yes, of course. 

Mr. Roesler. — the communication that Open Door received from 
the FTC was one simple letter; it was a warning that we received 
from them. There was no other communication. And during that 
time, it was simply about a file being out, and they listed the file. 

Chairman IsSA. So they just didn’t pursue you, nor did they give 
you guidance on how to remedy. 

Mr. Roesler. That is my understanding. 

Chairman IsSA. And did you have something else you want to fol- 
low up on? 

Mr. Cummings. Just to follow up on — a friendly follow-up on the 
chairman’s question. 

Mr. Hartzog, you just heard what they said. You talked about a 
body of jurisprudence, and here you have folks who are saying they 
had no idea what was going on. Can you react to that? 

Is that a fair statement, gentlemen? 

You didn’t 

Mr. Hartzog. I would actually say that it’s not a fair statement, 
nor is the FTC unique in requiring, you know, a standard to which 
there is not, you know, to the utmost specificity, right? 

So, for example, in tort law, you are expected to build products 
safely, but there is not a manual that you get when you start de- 
signing products that says, you know, here are the 130 steps that 
you can take to make a product safe, right? You actually look to 
industry standards, which is another thing that is relatively com- 
mon. And that is the kind of evidence that is used to determine 
whether you are acting reasonably or not. 

Mr. Cummings. Thank you very much, Mr. Chairman. 

Chairman IsSA. I thank all of you. 

I will tell you, as somebody who has set industry standards, sat 
as a chairman of a trade association, I understand that safe havens 
are critical, industry standards, if you live up to them, you are sup- 
posed to get a level of immunity, at least from persecution by your 
government. It doesn’t seem like that exists here. 

Mr. Mica? 

Mr. Mica. Thank you, Mr. Chairman. 

And, Mr. Daugherty, you had Lab Med? 

Mr. Daugherty. LabMD, sir. 

Mr. Mica. Okay, LabMD. 

And you had Open Door, Mr. Roesler? 

Mr. Roesler. That is correct. 

Mr. Mica. Two different activities. 

Now, were you first notified by FTC that there was some breach 
or some problem with your handling of data, Mr. Daugherty? 

Mr. Daugherty. We 

Mr. Mica. When did FTC notify you first? 

Mr. Daugherty. They sent us an 11-page letter starting the in- 
quiry. 

Mr. Mica. Before that, no? 

Mr. Daugherty. No, sir. We were just under HIPAA. 

Mr. Mica. And before that, no with you. 

I am just trying to look at what took place here. So you both are 
conducting your business or activities, and you both get calls from 
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this firm, Tiversa. And that was the first notice that you had from 
anyone that you had problems as far as data security. 

Is that correct, Mr. Daugherty? 

Chairman ISSA. And I would only ask one thing, that whenever 
you answer, make sure it is verbal. The clerk is not allowed to 
write down a head nod. 

Mr. Mica. Yeah, nods don’t count. 

So, Mr. Daugherty? 

Mr. Daugherty. Yes 

Mr. Mica. When you first — I want to find out when you first 
found out from some outside source that there was some breach. 

Mr. Daugherty. The outside source, sir, was — the first one was 
Tiversa in May 2008, and then the 

Mr. Mica. And Mr. Roesler? 

Mr. Roesler. For Open Door, it was also Tiversa that notified 
us first. 

Mr. Mica. Okay. And that firm told you that they had, I guess, 
been fishing or surfing, whatever the hell they did. And then did 
they offer to help remedy your situation, Mr. Daugherty? 

Mr. Daugherty. They — well, yes, sir. They would not 

Mr. Mica. What was the offer? 

Mr. Daugherty. The offer was 

Mr. Mica. How much an hour? 

Mr. Daugherty. $475 an hour, with a 4-hour minimum, no guar- 
antee. 

Mr. Mica. Mr. Roesler? 

Mr. Roesler. It was $475 an hour. 

Mr. Mica. And, Mr. Daugherty, what did you tell them? 

Mr. Daugherty. I told them I was not interested until they gave 
me more information. 

Mr. Mica. Okay. 

And, Mr. Roesler, what did you tell them? 

Mr. Roesler. I didn’t respond. 

Mr. Mica. You didn’t respond. Okay. 

So, after your initial contacts, your first contact of the breach, 
then you were later notified by FTC that there was a problem, Mr. 
Daugherty? 

Mr. Daugherty. Well, we were called by 

Mr. Mica. It was subsequent. 

Mr. Daugherty. Later in 2008, we were told by Tiversa they 
were giving it to Federal Trade Commission, and then Federal 
Trade Commission contacted us 14 months later. 

Mr. Mica. Uh-huh. 

And Mr. Roesler? 

Mr. Roesler. Yes, afterwards. Uh-huh. 

Mr. Mica. Yeah. 

And we tend to believe that FTC was informed or got that infor- 
mation from that company. Would you assume the same thing, Mr. 
Daugherty? 

Mr. Daugherty. Yes, sir, I would. 

Mr. Mica. What would you assume, Mr. Roesler? You gave it to 
them? You called them up and said, “We are doing this, and you 
ought to investigate us?” 

Mr. Roesler. Excuse me? 
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Mr. Mica. I am just — that was a joke. 

Mr. Roesler. All right. Thank you. 

So I don’t know. I don’t know the answer to that question. If that 
is how 

Mr. Mica. But somehow they got the data. 

Mr. Roesler. That is correct. 

Mr. Mica. Well, to me, it looks like a little bit of an extortion 
game from a company trying to make a few bucks off of you guys, 
fishing and then coming after you. That is just my assumption. 
Now, we don’t have FTC and others in here. We will have to find 
out more of what took place. 

Part of this is that, you know, FTC was set up for a good and 
noble purpose, and that is to deal with deceptive and unfair trade 
practices. And we should have the right, too, to have whistle- 
blowers give them information. But a lot of the discussions also 
went around the standards and what is fair. But the standards do 
not exist specifically, Mr. Hartzog, as part of the testimony. That 
is first. 

And then, secondly, you made a good point, that we don’t want 
to clip FTC’s wings to inhibit their power to go after bad actors. 
Is that correct? 

Mr. Hartzog. Yes, that is correct. 

Mr. Mica. But if we find out, again, that the motivation for this 
was their nonparticipation in this scheme, it doesn’t seem like they 
were treated fairly, one, and, two, that you two were never given 
notice to correct the practice. Were you given notice to correct what 
they considered 

Mr. Daugherty. Oh, we were just given endless questions for 
years and then a suit. No. That was all we were given. 

Mr. Mica. Were you given a remedial course or 

Mr. Roesler. In our letter, it was suggested that we 

Mr. Mica. Cease and desist? 

Mr. Roesler. Something like that. 

Mr. Mica. Remedy your situation? 

Mr. Roesler. That is right. Look into it. 

Mr. Mica. Uh-huh. Because I think, again, businesses need to be 
notified by the regulatory agencies if there is a practice, and then 
if they don’t clean their act up — ^you didn’t devise those software 
systems, it was probably something you purchased, that had a 

Mr. Daugherty. LimeWire was never even purchased. That is 
just malware that was out there 

Mr. Mica. Uh-huh. 

Mr. Daugherty. — that was put in by an employee with a total 
lack of authorization. 

Mr. Mica. But it wasn’t a purposeful thing, and when you found 
out, you tried to remedy it. 

Mr. Daugherty. Absolutely, sir. 

Mr. Mica. Mr. Roesler? 

Mr. Roesler. We never had any evidence of having 

Mr. Mica. But when you found out, did you try to remedy it, the 
situation? 

Mr. Roesler. We just researched to find that we had no risk of 
that. That was 

Mr. Mica. Okay. All right. 
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I yield back. 

Chairman ISSA. Okay. Thank you. 

Mr. Hartzog, just to make sure, was LimeWire ever gone after 
by the FTC for their deceptive practices of creating the 
vulnerabilities? 

Mr. Hartzog. I 

Chairman IsSA. You have looked through the body of jurispru- 
dence. 

Mr. Hartzog. I do not believe so, so I 

Chairman IssA. But they never went after the people who cre- 
ated the vulnerability, just people who were victims. 

Mr. Hartzog. Yeah, I don’t — I am not privy to investigations. I 
only know about the filed complaints. But as far as I know, there 
was no filed complaint against LimeWire. 

Chairman IssA. Yeah. That makes sense. They were probably 
without deep pockets and too slippery. 

The gentleman from Massachusetts, Mr. Tierney. 

Mr. Tierney. Thank you. 

Mr. Hartzog, apparently there was ultimately an agreement or a 
decision that the companies that are testifying here today did not 
live up to industry standards or some other measure of reasonable- 
ness. Is that fair to say? 

Mr. Hartzog. Yes, that is fair. 

Mr. Tierney. All right. So in that determination by the FTC of 
whether or not they complied with the reasonableness on that, is 
the sophistication of the company, the size of the company, the re- 
sources the company might have for establishing secure IT, the 
danger of the release of their data, are all of those factors in that 
determination of reasonableness? 

Mr. Hartzog. Absolutely. That is one of the reasons why a one- 
size-fits-all checklist for data security will never work, because it 
is far too dependent upon variables like that. And so, of course, 
large companies, large tech companies — ^you know, Microsoft and 
Amazon and all these others — are expected to have significantly 
different and probably more robust data-security practices than, 
say, smaller businesses. Now, of course, there is a baseline for ev- 
eryone collecting personal information, but it varies wildly as to 
what is constituted in any given circumstance. 

Mr. Tierney. So is there an FTC process where, when they be- 
come notified that a problem may exist, they notify the individual 
and give them an opportunity to cure? 

Mr. Hartzog. Because I am not privy to a lot of the internal in- 
vestigations within the FTC, I am unable to answer that question. 

Mr. Tierney. Mr. Stegmaier, do you have any information on 
that, whether or not the FTC as a matter of course, when they 
have an allegation or a concern that somebody may not be being 
reasonable in securing their IT, they give that company an oppor- 
tunity to cure before they take action? 

Mr. Stegmaier. I have never had an experience in 13 years of 
doing this where they proffer the opportunity to cure in the man- 
ner that I think you are suggesting. 

I have had a number of nonpublic resolutions, many, many 
times. But I haven’t had this sort of, I think in the chairman’s 
words, safe-harhor situation where they say, “We have brought this 
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to your attention, we see that you have taken corrective measures, 
and we have determined that that, you know, is in fact good 
enough.” In fact, it is their practice, in part of Mr. Hartzog’s anal- 
ysis, that the agency doesn’t typically issue what would be referred 
to as a closing letter for investigations. 

But in my, you know, private, personal capacity appearing before 
the agency representing clients, the characterization you described 
is not consistent with my experience. 

Mr. Tierney. Are either Mr. Hartzog or Mr. Stegmaier familiar 
with a situation where their clients were notified, as Mr. Roesler 
was, that you apparently have a problem and then no further ac- 
tion was taken because your client did something about it? 

Mr. Stegmaier. So it hasn’t been my experience that the agency 
is typically calling to the attention of individual companies inci- 
dents or situations, but, rather, they come, investigation in hand, 
with an investigatory posture, trying to figure out what happened, 
rather than more a notice and corrective posture. 

But, to be clear, I am aware of numerous cases where the agency 
has chosen not to continue investigating. 

Mr. Tierney. Okay. 

Is that similar to your information, Mr. Hartzog? 

Mr. Hartzog. That’s correct, based on my information. 

Mr. Tierney. Thank you. 

Mr. Roesler, you received a letter from the FTC notifying you 
that they believed you had an issue and suggesting that you do 
something about it. 

Mr. Roesler. That’s correct. 

Mr. Tierney. All right. And what you did about it, you said, was 
you went and rechecked again to see if your people could find any- 
thing on the peer-to-peer; is that right? 

Mr. Roesler. What I said was that our IT subcontractor looked 
at our network to see if there was any P2P software within our net- 
work or on any of our computer laptops, any work stations. 

Mr. Tierney. Did you at all do any research or ask your legal 
counsel, your IT subcontractor, to do some research about what the 
best practices in your industry were and whether or not you were, 
in fact, complying with those? 

Mr. Roesler. Indeed, we did. 

Mr. Tierney. And what was the result of that? 

Mr. Roesler. The result was that we were meeting those stand- 
ards, our network was secure, and that we were compliant. 

Mr. Tierney. And did the FTC ever take any follow-up action 
against you? 

Mr. Roesler. None that I am aware of 

Mr. Tierney. Thank you. 

Mr. Stegmaier and Mr. Hartzog, again, your help, if you would. 
When a determination is made by the FTC that there is noncompli- 
ance or that there is an unfair or deceptive practice, are the pen- 
alties automatic, set at a certain amount once it is found? Or is 
there discretion for the FTC to take into consideration mitigating 
factors? 

Mr. Stegmaier. So the agency doesn’t actually have statutory 
penalty authority. They enter into a consent decree, which typically 
doesn’t have a monetary penalty or a remedy. 
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As to the factors that they use in terms of how they decide which 
cases to prosecute or which cases not to prosecute, I would respect- 
fully disagree with Mr. Hartzog in the sense that, having done this 
for a long, long time, the precise motivations and contours of what 
constitutes reasonable behavior and reasonable information-secu- 
rity behavior from the perspective of the agency that’s authori- 
tative is no more clear to me today than it was 13 years ago. 

Mr. Tierney. I am going to let you guys fight that out offline 
here on that. 

So if there’s not a monetary penalty, what is the nature of the 
action that the FTC takes ultimately? 

Mr. Stegmaier. I think one way to think about it is to have a 
new board member who helps supervise your privacy and data-se- 
curity process for the next 20 years, including, typically, biennial 
privacy and data-security audits through an approved third-party 
contractor who essentially will, you know, audit and review your 
processes and report to the agency. 

Additionally, they have a tool which they call — is commonly re- 
ferred to as fencing-in relief, through which, once you’re under an 
order, you are subject to financial penalties if you should violate 
the order. And, in my experience, it’s not uncommon for companies 
to spend as much as a half-a-million dollars a year or more simply 
to undertake to comply with the underlying orders. 

So I would respectfully disagree with Mr. Hartzog to the extent 
that it takes into account the nature and size of the underlying 
companies. In fact, my experience has been the opposite, that the 
size of the company doesn’t dictate what level of security the agen- 
cy seems to believe is required in a number of instances. 

Mr. Tierney. And I assume that 

Chairman IssA. The gentleman’s time has expired. 

Mr. Tierney. Can I ask unanimous consent for one further ques- 
tion? 

Chairman IssA. As long as it doesn’t take another minute and a 
half extra, go ahead. 

Mr. Tierney. I’ll do my best. 

And the cost of this, sort of, outside entity or auditor that you’re 
talking about is borne by whom? 

Mr. Stegmaier. Entirely by the company, sir. 

Mr. Tierney. Thank you. 

Chairman IsSA. Thank you. 

Mr. Walberg. 

Mr. Walberg. Thank you, Mr. Chairman. 

And thanks to the witnesses for being here. 

Mr. Stegmaier, if you could just further help me to understand, 
what are the FTCstandards for determining whether or not a com- 
pany’s data-security practices violate Section 5? 

Mr. Stegmaier. Thank you very much, sir. 

A couple of things. The articulated standard is one of reasonable- 
ness, and that is the extent of the standard. 

I note that for the folks that are here today — and I think this is 
important for the committee to understand — I think that we 
learned from Mr. Roesler and Mr. Daugherty that there were ini- 
tially begun investigated — the investigation in 2008. It wasn’t until 
2011 that the Federal Trade Commission issued a best-practices 



145 


guide identifying a number of recommendations that it thinks are 
required for reasonable security. 

But to answer your question I think more directly, the troubling 
thing about that guide and the thing that has been difficult for 
many companies is, if you asked me to identify which, if any, of 
those items that they identify as best practices are legally required, 
I could not tell you. 

Mr. Walberg. So this is an evolving notion, as it were. 

Mr. Stegmaier. Absolutely. And I think the agency itself has 
taken that position repeatedly. The agency takes the position that 
it needs flexibility because technology is changing, what we think 
is privacy is changing, data security is changing. 

Mr. Walberg. Well, what, then, gives the FTC the authority to 
take enforcement on these evolving actions, especially in what’s 
considered reasonable? 

Mr. Stegmaier. Sure. So, as Mr. Hartzog identified, the lan- 
guage of Section 5 is incredibly broad, and courts have generally 
given deference under what’s known as the Chevron deference — 
Chevron case to agencies to determine their own jurisdiction. So, 
unless that exercise of jurisdiction is arbitrary or capricious, for the 
most part, absent Congress stepping in, the agency’s determina- 
tion, you know, will prevail unless or if a court disagrees. 

And, as I mentioned to the chairman earlier, there are a number 
of cases pending that challenge exactly this question. 

Mr. Walberg. Mr. Hartzog, do you agree or disagree that the 
FTC should be taking the lead in establishing new regulations gov- 
erning data-security practices? 

Mr. Hartzog. Well, I think that the FTC certainly plays the piv- 
otal role and should play the pivotal role in establishing data-secu- 
rity regulation in the United States, but I do think that it’s wise 
for the FTC to continue to defer to industry standards rather than 
try to make up their own standards, but, rather, follow what indus- 
try has determined is reasonable and appropriate data security. 
Because I think that that kind of deference keeps the FTC from 
acting in an arbitrary or inconsistent way. 

Mr. Walberg. So, in other words, kind of a shared partnership 
lead? 

Mr. Hartzog. That’s right. So it’s a co-regulatory regime, right, 
where you let industry say this is what is reasonable in our field, 
and then the FTC then looks to that to determine which companies 
have gone beyond the boundaries of reasonableness. 

Mr. Walberg. Mr. Stegmaier, can a business owner look up the 
rules for data security to make sure a business is in compliance? 

Mr. Stegmaier. So if you’re subject to the Health Insurance 
Portability and Accountability Act, you can. In fact, the HHS has 
issued privacy and data-security regulations. The Federal Trade 
Commission has not. 

If you are a financial institution subject to the Gramm-Leach-Bli- 
ley Act, there has been notice-and-comment rulemaking; you can 
look up those regulations. But, again, if you’re subject to the FTC’s 
jurisdiction 

Mr. Walberg. You can’t. 

Mr. Stegmaier. — you cannot. 

Mr. Walberg. A pattern is emerging. 
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Mr. Daugherty, did you know where to look up the rules or infor- 
mal policies that governed FTC data-security practices before you 
were contacted by FTC? 

Mr. Daugherty. No, sir, because there were none. I mean, we’ve 
had professionals in and out. We had Stanson’s two people in. No 
one said anything about them. We were fully within the medical 
community. 

Mr. Walberg. How easy or difficult is it to keep up with these 
informal policies? 

Mr. Daugherty. Well, I think it’s nearly impossible, I mean, be- 
cause they don’t tell you till after the fact, whereas in HHS, in the 
world that we reside, in a regulatory world, it’s quite simple. But 
in, you know, the world of medicine, which they’re trying to get 
into, they’re not using that format. 

Mr. Walberg. And, finally, Mr. Daugherty, in your opinion, is it 
fair for the FTC to expect businesses like yours to be able to locate 
and follow data-security practices? 

Mr. Daugherty. Oh, we’re all for following data-security prac- 
tices, absolutely. But we need to, obviously, have them take a lead- 
ership role and not a reactionary role. 

As much as they want to say how broad this needs to be, breadth 
does not mean infinity, and there have to be some boundaries. And 
they seem to continually argue, well, we have broad scope, we need 
broad scope. But that doesn’t mean they don’t have to say any- 
thing. I mean, we all have laws. That doesn’t mean we call it a 
crime when we see it. 

So I think they need to be more reasonable in their boundaries 
and their communications, especially when they choose to get into 
medicine. That is really an alarming overreach. 

Mr. Walberg. Sounds reasonable. Thank you. 

My time has expired. 

Mr. Bentivolio. [Presiding.] The chair recognizes the gentleman 
from Massachusetts, Mr. Lynch. 

Mr. Lynch. Thank you, Mr. Chairman. 

Now, this dispute is currently in the FTC administrative court; 
is that correct? 

Mr. Daugherty. Is this to me? 

Mr. Lynch. Yeah, anybody. 

Mr. Daugherty. Okay. Yes, sir, against LabMD, yes it’s in ad- 
ministrative court, sir. 

Mr. Lynch. It seems to me that’s a good place for it. I don’t un- 
derstand how this matter — there are a lot of, you know, adminis- 
trative disputes that one side or the other feels offended by. It just 
surprises me that you’re before Congress, given the small amount 
of work we do anyway, and now we’re engaging in this. I just — I 
don’t think this whole dispute, this whole hearing is appropriately 
before us. Let me just get that out of the way. 

Earlier, Mr. Hartzog and Mr. Stegmaier, we heard the chairman 
say that — and get confirmation from two of the witnesses that 
there is no breach unless someone uses the information that’s been 
put out there. In other words, you can have a door that’s unlocked, 
I guess is the analogy that was used, and that even though infor- 
mation was not kept secure, there’s no breach until somebody actu- 
ally uses that information that’s been put out there. 
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Is that the state of the law? 

Mr. Stegmaier. So, whether or not a security breach exists is ac- 
tually a term of art. As the members of the committee may be 
aware, I think at least 47 States have breach notification laws 
using differing standards or requirements. So I think we’d have to 
think about, sort of, a particular 

Mr. Lynch. Well, let me ask you, do any of those States say that 
the information has to be used before a breach is declared? 

Mr. Stegmaier. They tend to use the operative phrases, acquired 
or accessed without authorization. 

Mr. Lynch. Okay. So just putting the information out on the 
Internet, if nobody is using it, there’s no breach? 

Mr. Stegmaier. It’s an active matter of dispute as to whether the 
mere accessibility of information constitutes a security breach, and 
a lot of really smart people would disagree very vigorously. 

Mr. Lynch. Yeah. So you can put stuff out on the Internet, se- 
cure information on the Internet, and that wouldn’t be a breach, 
Mr. Stegmaier. 

Mr. Stegmaier. That’s not what I am saying at all. What I’m 
saying is 

Mr. Lynch. Okay. 

Mr. Stegmaier. — smart people would disagree, and they fre- 
quently and regularly do. 

But I think an important consideration is, under HIPAA, for ex- 
ample, whether you adhere to the security rule — in other words, 
whether your systems are, in fact, secure — is different than wheth- 
er or not you’ve had a breach. So under HIPAA 

Mr. Lynch. Well, I’m just asking you here whether it’s required 
in order to be guilty of a security breach, whether someone has to 
use the information. That’s what I’m asking you. 

Mr. Hartzog, do you want to take a shot at this? 

Mr. Hartzog. Sure. The mere fact of a breach itself, actually, 
isn’t a violation of any particular law, right? So there are a couple 
of points: One is the Section 5 defining an unfair trade practice as 
one that either causes harm or is likely to cause harm. You actu- 
ally don’t have to have any kind of breach or misuse in the first 
place. 

Mr. Lynch. Yeah. 

Mr. Hartzog. The second point is, the only harm that can come 
isn’t necessarily one of, like, say, user ID theft, right, so mere expo- 
sure can constitute it. 

And then the third thing to remember is that the wrongful ac- 
tions here aren’t that a breach occurred, right? A breach is really 
perhaps just a symptom of the problem, which is a failure to have 
good data-security practices. So regardless of whether the breach 
happened or whether it didn’t happen, whether information was 
available or whether it wasn’t available, all of that only really goes 
towards showing whether there were good, reasonable data-secu- 
rity practices or not. And that’s really what we’re looking for. 

Mr. Lynch. Right. That’s the preventative aspect of this. 

Mr. Hartzog. Right. 

Mr. Lynch. If we had to wait till your Social Security was used 
by someone, you know, then 

Mr. Hartzog. Correct. 
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Mr. Lynch. — we would have to sit on our hands until somebody 
was abused, you know, somebody’s information was acquired. 
And 

Mr. Hartzog. Which is very difficult to show. And it’s important 
to remember that data security is a probabilities game, right? 
So 

Mr. Lynch. Right. 

Mr. Hartzog. — what you want to — there’s no such thing as per- 
fect data 

Mr. Lynch. Let me just jump to this quick. Mr. Roesler, your 
clinic serves patients that may have HIV or AIDS; is that right? 

Mr. Roesler. That’s correct. 

Mr. Lynch. Did the master list file have personal information 
about clients of the Open Door Clinic? 

Mr. Roesler. It did. 

Mr. Lynch. And about how many Open Door clients were listed 
in the master list file? Do you know? 

Mr. Roesler. About 150. 

Mr. Lynch. And the FTC wrote you that the clinic file master 
list was available to users on this peer-to-peer file-sharing network, 
right? 

Mr. Roesler. They did. 

Mr. Lynch. So the information was out there. So are you saying 
that the FTC was wrong to contact you on that? Is that part of 
your complaint? 

Mr. Roesler. Not at all. No. 

Mr. Lynch. Okay. Where did the — the FTC has not filed an en- 
forcement action against you for that, right? 

Mr. Roesler. That’s correct. 

Mr. Lynch. So wherein lies the overreach on the part of the 
FTC? 

Mr. Roesler. I am not aware of overreach. 

Mr. Lynch. Okay. 

I’ll yield back. Thank you. 

Mr. Bentivolio. The chair recognizes the gentleman from Ten- 
nessee, Mr. Duncan. 

Mr. Duncan. Well, thank you, Mr. Chairman. 

And I appreciate Chairman Issa calling this hearing because 
what I’ve heard thus far is very disturbing to me. I was presiding 
over the House until a few minutes ago, and so I didn’t — I’m sorry, 
I didn’t get to hear the testimony. 

But if I understand this correctly, Mr. Daugherty, this Tiversa 
firm contacted you or your company and told you of possible prob- 
lems and asked you to hire them at a rate of $475 an hour, and 
then when you declined to do so, they turned you into the FTC. 

Mr. Daugherty. That’s correct. That was all in 2008. 

Mr. Duncan. And then the FTC started pursuing you, taking ac- 
tion against you. 

Mr. Daugherty. That’s correct. 

Mr. Duncan. And I think I just was told that you’re close to 
being out of business, or 

Mr. Daugherty. The laboratory operations closed in January of 
this year because we’ve been completely sideswiped by this. 

Mr. Duncan. And Mr. — is it “Roesler” or “Roesler”? 
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Mr. Roesler. It’s “Roesler.” 

Mr. Duncan. “Roesler.” Mr. Roesler, your story is very similar, 
is that correct, except you’re still in business? 

Mr. Roesler. I don’t know that my story is similar. It’s got its 
differences. Yes, we are still in business. 

Mr. Duncan. But you were contacted by Tiversa 

Mr. Roesler. That’s correct. 

Mr. Duncan. — and for $475 an hour they would take care of 
your problems? 

Mr. Roesler. That’s also correct. 

Mr. Duncan. And then when you declined, they contacted the 
FTC. 

Mr. Roesler. That I’m not aware. 

Mr. Duncan. Well, according to the staff briefing we have, the 
FTC — this Tiversa company told on or reported or turned almost 
100 companies into the FTC. 

And, Mr. Hartzog, don’t you think that, in light of what’s come 
out here today, that the FTC should check on something like this, 
if another private company turns in a company, to see what conflict 
of interest is present? Because there certainly was a conflict of in- 
terest in these cases we’re hearing about. 

Mr. Hartzog. It’s difficult for me to speculate on that without 
knowing the exact details. But it’s my understanding that the FTC 
actually gets information about what constitutes, you know, a po- 
tentially unfair or deceptive trade practice from lots of different 
sources, including public complaints in general, many of which 
might be valid and many of which might actually be invalid. 
And 

Mr. Duncan. Well, I know they get them from many sources, but 
when there’s an obvious seemingly almost criminal conflict of inter- 
est involved, it looks like the FTC would at least check that out. 
Because that could easily be checked out on the front end of things. 

Mr. Hartzog. Well, certainly, the FTC should make sure that 
any allegation that’s turned into them is actually valid. And so I 
think that, of course, it’s incumbent upon them to make sure that 
the facts that are alleged to them are actually true. 

Mr. Duncan. Mr. Stegmaier, you’re a law professor. Do you think 
anyone should be prosecuted criminally on things like this, what 
you’ve heard here today? 

Mr. Stegmaier. If the facts as alleged turn out to be true, no, 
I would not think that prosecution should necessarily be appro- 
priate. But I think if I’m understanding your question more cor- 
rectly, do I think it’s appropriate for this committee and Congress 
to review the agency’s behavior, I think it’s incumbent on Congress 
to do so. 

Mr. Duncan. What do you think should be done in addition to 
this committee looking into it? 

Mr. Stegmaier. So I don’t profess to be an expert on all of the 
remedies or different, you know, mechanisms. But one of the things 
that I think we’ve seen and I think is, you know, critically relevant 
is to create an environment where companies can understand 
what’s actually expected of them as a matter of law so that then 
when and if the agency should come to investigate them there’s 
much less of an element of surprise. And that’s really sort of the 



150 


crux, right? The Constitution protects us from being prosecuted 
when we couldn’t possibly have known what the law is. 

And I think Mr. Daugherty could testify or would testify about 
his experience in that regard, and I think he has testified to the 
effect that he understood that he was subject to HHS’s jurisdiction. 
And being subject to the FTC’s jurisdiction and then what that 
meant in terms of what’s actually required is as opaque today as 
it was in 2008 for him. 

Mr. Duncan. Well, the problem that many of us see now is that 
the Federal Government is prosecuting people for unintentional 
violations of the law. And that’s not supposed to be criminal, but 
a zealous prosecutor can make an innocent, unintentional violation 
of the law seem to be criminal, and that’s a pretty dangerous thing. 

The government should be in the business of trying to help com- 
panies stay in business, not with the goal of trying to run people 
out of business, unless they have definite proof of intentional ef- 
forts to defraud people. 

Thank you very much, Mr. Chairman. 

Mr. Bentivolio. The chair recognizes the gentleman from Vir- 
ginia, Mr. Connolly. 

Mr. Connolly. Thank you, Mr. Chairman. 

And welcome to our panel, especially my constituent, Mr. 
Stegmaier, who’s obviously cogent, astute, perspicacious, very com- 
pelling testimony. And we’re not surprised, coming from the 11th 
Congressional District of Virginia. 

Mr. Stegmaier. Thank you, sir. 

Mr. Connolly. Mr. Stegmaier, I wanted to clarify something you 
testified to just now. What is the status of Mr. Daugherty’s case be- 
fore the FTC? 

Mr. Stegmaier. So I haven’t been following the precise contours 
of the case other than the existence of the administrative procedure 
is highly, highly unusual. I’m not aware of any other case that’s ac- 
tually used that procedure. 

Mr. Connolly. Mr. Daugherty, what is the status of your case? 

Mr. Daugherty. The case is on pause until the immunity deci- 
sion and proffer is worked out with this committee. And then the 
judge will make a decision from that point. 

Mr. Connolly. Okay. So it’s still in adjudication. Pending. 

Mr. Daugherty. Pending. 

Mr. Connolly. But there’s been no verdict delivered or 

Mr. Daugherty. No. This is correct. 

Mr. Connolly. Well, I will say I share some of — more than some 
of the misgiving of my colleague from Massachusetts, Mr. Lynch, 
about the appropriateness of this committee even the perception of 
intervening in the midst of, you know, a regulatory adjudication, 
for fear that, you know, we start to set a precedent. So anybody, 
you know, who doesn’t like a procedure can just come here and 
we’ll have a hearing and judge it for ourselves. I just think that’s 
a dangerous precedent if that, indeed, is what’s going on. 

Mr. Stegmaier, the title of this hearing is “FTC Section 5 Author- 
ity: Prosecutor, Judge, and Jury.” Do you view the FTC as playing 
a role as prosecutor, judge, and jury? 

Mr. Stegmaier. Absolutely. I think the structure of the adminis- 
trative state. Section 5 being very broadly worded, with the agency 
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getting deference to its own determinations about its jurisdiction, 
as well as its interpretations of the law being plausible, absolutely 
create a situation where it is difficult, if not impossible, to create 
due process remedies or ways for review that most regular people 
would think our system of justice entitles them to. 

And with respect, Mr. Connolly, to your comments about this 
particular proceeding, one of the things that strikes me is that, 
with respect to the fair notice doctrine and due process generally, 
if not here, where else? And I think that really begs the question. 
You know, in other words, Mr. Daugherty, I am not sure has any 
other place that he could go unless and until this proceeding is re- 
solved. 

So, you know, again, maybe I’m a bit of, you know, sort of a sen- 
timentalist, but I think the due process concerns here are so sig- 
nificant that I would be, you know, troubled to wonder where else 
one might go for redress. 

Mr. Connolly. That sounds good, Mr. Stegmaier, but we cannot 
be substituting ourselves for regulatory agencies in the midst of 
their administrative procedures. The precedent that sets is very 
dangerous, in my opinion. 

And, by the way, if there were thousands of them, there’s no way 
you could raise the expectation that, no, no, this is where you come 
for redress if you don’t like the process. Though, I am not dis- 
agreeing with you about the fact that there may be way too much 
authority, frankly, vested in this process. And that’s a legislative 
issue, but not an adjudication. 

Mr. Hartzog, would you respond to what Mr. Stegmaier said? 
Didn’t he make a pretty good point there? 

Mr. Hartzog. Sure. No, so I would actually disagree. I mean, I 
agree in the sense that, you know, this kind of title of “judge, jury, 
and executioner” is — the FTC is not unique among administrative 
agencies in that it has been given enforcement power and the 
power to kind of dictate rules. That’s actually kind of administra- 
tive law generally, right? So, to the extent that the FTC has the 
power to enforce the law and create rules through case-by-case ad- 
judication, the FTC seems to be hardly unique in that respect. 

With respect to, kind of, fair notice, due process concerns 

Mr. Connolly. Well, can I just interrupt you there? Mr. 
Daugherty has a blog in which he refers to the FTC as “lying, 
cheating, breaking every rule in the book.” “All professional tyrants 
and bullies have plenty of tricks up their sleeves. This nest,” pre- 
sumably the FTC, “is no exception.” 

So Mr. Daugherty 

Chairman ISSA. [Presiding.] Would the gentleman yield? 

Mr. Connolly. Of course. 

Chairman IsSA. I think many Members on your side of the aisle 
have said the same about me on the dais. These allegations are not 
unique, are they? 

Mr. Connolly. Yeah, but I don’t know if we all have blogs. 

But, I mean, putting a charitable interpretation on what clearly 
is a source of anger and frustration for Mr. Daugherty is a sense 
of: I am not being treated fairly. This process is far beyond just a 
routine administrative process. It is one that, you know, is all-en- 
compassing and all-powerful and capricious. My word, not his. 
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So is this just like any other administrative process? Is there 
something unique or different about this one? I’m not referring to 
the particular case; I’m talking about the process. Because you just 
said, well, it’s hardly unique. But if I read this blog and only rely 
on it for witness to the FTC process, I might conclude it most cer- 
tainly is different and unique, or at least I hope it would be, if this 
is accurate. 

Mr. Hartzog. Well, I can’t comment as to the factual specifics. 
My 

Mr. Connolly. I’m not asking you to. 

Mr. Hartzog. Right, right. So without knowing the internal de- 
liberations of what happened with respect to the FTC investigation 
with this particular case, I will say if you look at the complaint 
that was filed in this case, it is very consistent with all of the other 
FTC data-security complaints. The FTC has been regulating data 
security since the late 1990s, and they’ve done so in a very conserv- 
ative and incremental manner. The language that they employ is 
very consistent across every single complaint. The language that 
they use in their consent orders is very consistent. 

And so if you look at the complaint that was filed in this case, 
it does, indeed, look very similar to lots of other complaints filed 
by the FTC. And so, in that regard, this is, you know, just another, 
kind of, incremental iteration on the FTC’s data-security regula- 
tions. 

Mr. Connolly. And just a final point, if I may, Mr. Chairman. 

Do you agree with Mr. Stegmaier that, if not here, where, that 
this is a place to come for redress if you feel you’re not getting it 
in the administrative law review — I mean, the administrative judi- 
cial process? 

Mr. Hartzog. Well, I would just call note to the fact that every- 
one that is subjected to an FTC complaint has the right to judicial 
review. And so, you know, that seems to be the structure that was 
put in place precisely to put a check on administrative agencies. 

Chairman ISSA. Would the gentleman yield? 

Mr. Connolly. Of course. 

Chairman IsSA. Just for a short colloquy. I think you made an 
assertion that perhaps this hearing and our what you called “inter- 
vening” with the FTC was inappropriate. I just want to go through 
a couple of things very quickly for our benefit. 

Have you had a chance to look at any of the proffer material 
brought to the committee voluntarily by a whistleblower? 

Mr. Connolly. I’m not sure what the chairman is referring to. 
I’ve looked at a lot of material. 

Chairman IssA. No, no. There was a proffer brought. The com- 
mittee staff has reviewed some of it. There was a whistleblower 
who came to us, unrelated. We did not initiate it, but rather a 
whistleblower came to us. And that, in combination — and perhaps 
your staff can arrange — at the beginning, I asked everyone to look 
at the proffer. It goes more than an hour. 

But, additionally, the reason that this committee feels that, not- 
withstanding an ongoing — many-year ongoing FTC activity, that, in 
fact, because Mr. Boback testified before this committee twice while 
he was, in fact, turning people into the FTC for eventual prosecu- 
tion, and because a whistleblower came to us, and because that 
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whistleblower took the Fifth at the — asserted his Fifth Amendment 
rights at that proceeding, my understanding is the administrative 
law judge has for the time being held up, with no prejudice whatso- 
ever, his proceeding as we continue to try to go forward. 

The judge is able to go forward with the case at any time, of 
course, but both this chairman believes that we should hear the 
testimony of the whistleblower here and I think the FTC would like 
to hear the testimony of that individual because, since he was a 
prior employee of Tiversa, he is, in fact, likely to be a fact witness 
as to whether or not there is credible evidence against Mr. 
Daugherty’s company, which, by the way, doesn’t go to the FTC’s 
authority that we’re discussing here today. It really goes to the 
question of, is the FTC accurate in one or more of its pleadings? 

And for the gentleman’s edification, it is our opinion that, at a 
minimum, if the assertions that have been made are true, the FTC 
has been misled and this committee has been misled on multiple 
occasions. The Secret Service, NCIS, the White House, through the 
assertion made — and I don’t know if the gentleman was here when 
it was made, but the assertion that Marine One’s cockpit upgrade 
was compromised when it was in Iran may not have been true. All 
of those things caused this committee to think that we need to act 
now and to look into it. 

But I appreciate the gentleman’s rightful statement that it’s not 
for us to second-guess the FTC. Their administrative law judge has 
to make their own decision. We also, though, believe that we have 
an independent obligation based on the things I outlined, and I 
would hope the gentleman would agree. 

Mr. Connolly. Mr. Chairman, it might surprise you to hear 
that, in some measure, I do agree. However, I guess I’m raising the 
question, not for a solution here, about, what are the right bound- 
aries for us, and when do we properly intervene because of our 
oversight function and duty? 

I was asked before this hearing, you know, do we have a role to 
play in oversight of FTC, and my answer was absolutely. And if 
there’s, you know, something to be reformed or something certainly 
to be looked at, that is absolutely a proper function of this com- 
mittee. And the idea that it’s never proper is to be rejected. 

However, there are boundaries. And when there’s a specific case 
in front of a judge, I am concerned that it not even be construed 
as a perception that we are attempting to tilt the judgment in a 
particular way or to make ourselves the place of redress when peo- 
ple have a grievance, even though that grievance may very well be 
legitimate. 

Our role is not to hear the case all over again. It is to try to, you 
know, ameliorate the grievance if there are legitimate aspects to it 
that can be addressed legislatively. That’s what I was raising. 

Chairman ISSA. And I think the gentleman and I would agree 
that we have to be very careful, both yesterday with the IRS and 
today with the FTC. But I do believe, when somebody has testified 
before this committee multiple times, the assertions may be incor- 
rect, and, as a result, a series of suits already completed by the 
Federal Trade Commission with consent decrees might, in fact, 
have been flawed. 
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And, tangentially, Mr. Roesler, obviously, we are concerned that 
a pattern of activity, business practices, you may have been a vic- 
tim of and suffered — ^you and your insurance company suffered dis- 
traction and cost for years. So we are concerned with it. 

And that’s why I was so appreciative of your being here today. 
This was a tough one for you to do. It’s tough for you to tear your- 
self away and to take time out. But, hopefully, maybe a little bit 
like some hearings we’ve had over the years, where people don’t 
understand them at the beginning of it, if, in fact, they come to 
some of the assertions being true, then at the end of it all people 
will say, yes, it was worthwhile. 

If, Mr. Connolly, if, at the end of it all, whistleblower statements 
are wrong, assertions are wrong, and all of what we have been told 
is not true, and if, for example, that Pittsburgh event, the law firm 
was just a coincidence, if, in fact, both of these individuals had real 
breaches, then, in fact, if all those things be true, then, in fact, we 
went down a look-see that didn’t end up. But today I believe very 
strongly and I think at least two of our witnesses feel strongly that 
there’s at least a credible case to look into it. 

And I might close — and I thank the gentleman for so much yield- 
ing. I remember when Pat Tillman’s family was in front of this 
committee. I remember us looking at various events that were very 
controversial, assertions by grieving family members. This com- 
mittee has taken the breadth of investigations by both sides’ chair- 
men, and we have explored them. We explored steroids in baseball. 
We’ve done a number of things. The ranking member and I have 
continued to work on trying to clean up the NFL’s problem with 
human growth hormones. Those are not within the mainstream. 

So I do appreciate the gentleman. And I want to be very careful. 
I would ask, again, all Members to look at the proffer, to meet with 
the whistleblower. Even if he is never to be granted the oppor- 
tunity to testify, the proffer itself might give you the reason for 
why we are going forward to try to find the facts through other 
means and why this hearing is here today. 

Mr. Cummings. Will the gentleman yield? 

Chairman IssA. Of course. 

Mr. Cummings. First of all, Mr. Chairman, you know, I was 
questioning as I was listening to Mr. Connolly whether this is, in 
fact, intervention. I’m not sure that it is, to be frank with you. But 
I’m hoping that, at the end of the day, that the FTC hears this. 
Clearly, there are some things that need to be resolved here. 

And, you know, when I hear the stories of Mr. Daugherty, Mr. 
Roesler, I think it concerns all of us if you have been treated un- 
fairly, because we try to fight against that kind of thing. 

But, again, I think — and I’m glad you said what you said about 
being careful. Because it’s interesting, in my office, Mr. Connolly, 
I tell my staff that if somebody walks in there and there’s any kind 
of pending anything, judicial, quasi-judicial. I’m not touching it. I’m 
just not going to touch it, because I don’t want to interfere. 

Mr. Connolly. Right. 

Mr. Cummings. And I think there’s probably a problem with it 
anyway, ethically. 

But, hopefully, this will lead to something where there’s some 
clarification, Mr. Chairman, so that we don’t have these kind of sit- 
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uations, or, if nothing else, at least some clarity comes to the peo- 
ple who are in the industry as to what is expected of them, what’s 
fair, what’s reasonable. 

Mr. Cummings. And if we can come to that — and, again, as I said 
a little bit earlier, Mr. Chairman, we have not said absolutely 
against immunity for a whistleblower. We just want to make sure 
that we dot our i’s, cross our t’s. 

And so, thank you very much. 

Chairman ISSA. I thank the ranking member, and I thank Mr. 
Connolly. 

We now go to the very patient quasi-expert on HIPAA, Dr. 
Gosar. 

Mr. Gosar. Well, thank you. Chairman. 

I’m a dentist before I came to Congress, so I’m very aware of 
HIPAA and OSHA, and it’s very different from what I’m under- 
standing here, Mr. Daugherty, right? I mean, we have classes, we 
have rules, regs. They’re pretty astute and pretty well-defined, 
right? 

Mr. Daugherty. Yes, Congressman. As a matter of fact, we enjoy 
daily mailing offers for educational seminars that anyone could 
have at any day. 

Mr. Gosar. And so, like, a typical small business, you update, 
you try to keep up with trends, making sure that you’re up to par 
in protecting databases, as well, true? 

Mr. Daugherty. Correct. We always had an IT staff of at least 
3 people, even when we were only, like, 15 employees. And we also 
had an outside company help. 

And, as a matter of fact, we upgraded to — we found in the small- 
business community and in the medical community that’s under 
100 or 200 employees, there were no security products out there. 
So when the FTC approached us, when we were trying to get an 
answer of what to do and we couldn’t get an answer, we went out 
to the industry, and they didn’t have products for us. They only 
were with 500-employee companies and up. So we had to find a 
company that would actually customize something for us that was 
built for someone bigger that would actually work with us, and we 
could only find two vendors to do it. 

Mr. Gosar. So, I want to get back to this fair notice. It seems 
like if what I heard from Mr. Hartzog in regards to looking across 
the industry for fair and applicable application, they should’ve 
taken some of that into consideration. 

Mr. Daugherty. Well, I would agree with that, sir, yes. 

Mr. Gosar. Yeah. 

Mr. Hartzog, are you real familiar with why the FTC is even in 
business today? Do you understand the history from 1978 to 1980? 
In fact, my Democratic colleagues almost — actually shut them 
down during 1980. 

Mr. Hartzog. I 

Mr. Gosar. And underneath, in regards to — the FTC only sur- 
vived in its agreement to limit its discretion by issuing its now-re- 
vered unfairness policy statement, true? 

Mr. Hartzog. That’s correct. 
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Mr. Gosar. So there’s even more onus — ^you bypassed it, but 
there’s even more onus on the FTC to be fair and applicable across 
these applications. Would you agree? 

Mr. Hartzog. Yes. They are 

Mr. Gosar. Well, I mean, so the statute and the mission is very 
specific to the FTC, right? So the application across all agency 
boards are not exactly what you said. 

Mr. Hartzog. Well, with respect to whether something con- 
stitutes an unfair trade practice. So it actually isn’t even limited 
to deception, but the policy codification was to an unfair trade prac- 
tice. 

Mr. Gosar. Well, my whole point is the FTC is further scruti- 
nized by its jurisdiction in regards to that. So they were disciplined 
by Congress, okay? 

Would you agree with that, Mr. Stegmaier? 

Mr. Stegmaier. I think the agency has more of a track record, 
historically, and speaking purely historically, of potentially running 
afoul and having congressional oversight. And, for example, their 
rulemaking authority is highly constrained coming out of some of 
the same things I believe you’re talking about. 

Mr. Gosar. Yeah. So let me — I guess my question is, if we’re co- 
ercing settlements, what good is the rule of law? How are we over- 
seeing the FTC in a proper adjudication if they’re already being 
scrutinized a little differently because of their past history? 

Mr. Stegmaier. I think it’s a really good question, and I think 
it’s one we need to explore further. 

Certainly, having represented companies that felt they were 
being coerced, I very much sympathize with the tone and tenor of 
your statement. And, in the same breath, I would just say that my 
experience with the folks actually working at the agency has been 
of a really bright, hardworking, dedicated group of people that be- 
lieve in what they’re trying to do. And I think one of the things 
that can be happening here is a bit of disliking the messenger 
versus the message. 

And part of that is simply because we, as a society, haven’t re- 
solved what privacy and data security mean, but we have a law en- 
forcement agency that’s out there prosecuting companies with what 
it thinks it means, you know, over more than a decade now. And 
that’s really, I think, what brings us here, is a tough spot inde- 
pendent of anything that Mr. Daugherty or the other information 
before the committee or the proffer, none of which I’m specifically 
familiar with. 

Mr. Gosar. And it seems to me that we haven’t had oversight 
or reauthorization of the FTC, and maybe we need a mission. I 
mean, just because you’re bright and you’re affable in your job, it 
doesn’t make you right in your application of the law, does it, Mr. 
Stegmaier? 

Mr. Stegmaier. So I made a note to myself earlier: Just because 
you do something doesn’t mean you have the authority to do it. 
And so I would agree that a measure of oversight and review is ap- 
propriate, given, as the agency acknowledges, that technology is 
moving very rapidly, data is moving very rapidly, and, clearly, the 
agency has a very important role to play, but that is one that is, 
you know, limited and subject to congressional review. 
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Mr. Gosar. And so, would you still agree that the review of 
you’re innocent until proven guilty? 

Mr. Stegmaier. I would agree that you are absolutely innocent 
until proven guilty. I think that’s the entire reason why I’m here 
today. 

And I think, more importantly, it’s really a shame if you’re pros- 
ecuted and you couldn’t possibly have known what the legal re- 
quirement was for which you are being prosecuted. And that’s what 
the fair notice doctrine is about in the articles I’ve written. 

Mr. Gosar. Yeah. 

Mr. Hartzog, would you agree with that? 

Mr. Hartzog. I agree with the general statement, but I would 
also say that the case-by-case way of establishing law is actually 
a part of 

Mr. Gosar. I mean, you didn’t give a very good, I mean, notice 
about applicability across the board here. You tried to cite as an 
expert witness, and you tried to cite, which you really couldn’t. And 
shouldn’t that be more based upon predicated caselaw so we should 
see, instead of coerced settlements, we see more applicability going 
towards the courts? 

Mr. Hartzog. If I might, actually 

Chairman ISSA. The gentleman’s time has expired, but you may 
answer. 

Mr. Hartzog. Thank you. 

If you look at the complaints, actually, we actually see substan- 
tial overlap of the FTC complaints with the HIPAA security rule 
and Gramm-Leach-Bliley. And so, actually, it’s actually a fairly 
nuanced standard. If you look at the complaints which, established 
in a case-by-case manner, really outline what an unfair or decep- 
tive trade practice is. 

Mr. Gosar. Thank you. 

Chairman IsSA. Thank you. 

We now go to the gentlelady from Illinois, Ms. Duckworth. 

Ms. Duckworth. Thank you, Mr. Chairman. 

Thank you, gentlemen, for being here today. 

I just want to establish some clarification. And, Mr. Roesler, I 
know you do tremendous work in support of our citizens who are 
suffering from AIDS and do everything that you can through your 
organization to support your clients. 

I just want to, sort of, go through the timeline of your particular 
instance. You were contacted by Tiversa saying that they had these 
files that they had found on peer-to-peer networks and that for a 
certain amount of money they could help you with it. Subsequent 
to that, you then went to your IT providers and did a thorough 
search and determined that nothing in your networks had been 
breached. Is that correct? 

Mr. Roesler. That is correct. 

Ms. Duckworth. And, at a later point in time, you received a 
letter from the FTC saying that there was this file in the Internet, 
and it was a different file name from the file that Tiversa had in- 
formed you was out there. Is that correct? 

Mr. Roesler. That’s also correct. 

Ms. Duckworth. Great. 
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Prior to this time, did you not suffer a break-in to your facilities, 
where a laptop was physically stolen from your facility? 

Mr. Roesler. That’s correct. In 2007, Open Door was the victim 
of a theft of one of our laptops in our Aurora clinic space. 

Ms. Duckworth. Correct. And you did report that crime to the 
police? 

Mr. Roesler. That was reported, yes. 

Ms. Duckworth. Yes. 

So when you got the notice from FTC with a different file and 
in going back and reviewing, is it true that you have determined 
that these files that were on the Internet were not a result of any 
type of a security breach to your network but probably came from 
that laptop that was stolen? 

Mr. Roesler. That is an assumption that we do have, that the 
laptop that was stolen had these as well as other documents on 
that computer. 

Ms. Duckworth. And so the FTC has not pursued — has not con- 
tacted you other than that first letter to say they found these files 
on the Internet, this is a warning, you need to deal with it. Is that 
correct? 

Mr. Roesler. That is correct. Thank you. 

Ms. Duckworth. Okay. 

Do you have any evidence that the FTC turned over information 
of any of those files to any law firm that then initiated the class 
action lawsuit against you? 

Mr. Roesler. No evidence at all. 

Ms. Duckworth. No evidence at all. 

So what I’m trying to get to here is the fact that there are two 
different things going on. There are the practices, which I think ap- 
pear to be very egregious, on the part of Tiversa, which I want to 
get to the bottom of, and then the fact that you were very much 
a victim of an actual theft to a facility that probably did have a 
lock on your front door, quite literally, and then the FTC finding 
a different file on the Internet from the one Tiversa contacted you 
with and said, hey, this file is out there, take a look at it. You dealt 
with it. 

The only thing that I’m somewhat concerned with in terms of 
your actions is that you did not notify your clients for over a year 
whose names were on that stolen laptop. Is that correct? 

Mr. Roesler. That is correct. 

Ms. Duckworth. But that’s a matter for State law; that’s not 
under the jurisdiction of this committee here. 

But you’ve settled the lawsuit with this law firm, wherever they 
got the information from, not from the FTC but from somewhere 
else. Your clients — many of whom are back with you and are happy 
with the treatment that they’re getting? 

Mr. Roesler. That’s correct. We are back to doing business as 
usual. 

Ms. Duckworth. Which you love, which is taking care of your 
clients. 

Mr. Roesler. Very much. Thank you. 

Ms. Duckworth. Thank you. 
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Mr. Hartzog, could you give me your opinion on, was it appro- 
priate for the FTC to contact Mr. Roesler to say that, hey, we found 
a file on the Internet that contains your clients’ names? 

Mr. Hartzog. Sure, in the sense that the FTC has, you know, 
a broad ability to look into lots of different data breaches to deter- 
mine whether there was reasonable data security or not. 

Chairman ISSA. Would the gentlelady yield just for a point of in- 
formation? 

Ms. Duckworth. Yes, I’ll yield. 

Chairman IsSA. The committee can provide you with the pro- 
duced written data that shows that Tiversa provided that informa- 
tion to the FTC. So the source in both cases was Tiversa directly 
in contact and then indirectly when the FTC gained from Tiversa 
that same information that Open Door failed to, if you will, pay for 
protecting. 

Ms. Duckworth. Thank you, Mr. Chairman. But I do think the 
FTC did contact Mr. Roesler with a different file name. 

Which is how I believe you were able to come to the conclusion 
or the assumption, a working hypothesis, as it were, that it likely 
came from this laptop and not from a breach of your network. 

Mr. Roesler. Okay, no, that’s not exactly correct. 

Ms. Duckworth. Okay. 

Mr. Roesler. So during the litigation and during discovery, the 
law firm was able to produce quite a few documents that had been 
downloaded from a peer-to-peer network. It was when we started 
looking through the piles of documents that we were able to ascer- 
tain what the likelihood is of which employee might have been pro- 
ducing most of those documents. And from there, we were able to 
then figure a timeline that, well, this employee doesn’t currently 
have these documents on their current laptop; however, come to 
think of it, 2 years ago, their laptop had been stolen out of our clin- 
ic. And that’s when we started moving backwards in that thought 
process. 

Ms. Duckworth. Okay. Thank you. 

I’m out of time, Mr. Chairman. 

Chairman IsSA. Thank you. If the gentlelady would just allow me 
to follow up on your line? 

Mr. Roesler, do you believe that Tiversa provided you with all 
the information and all the files that they had found? 

Mr. Roesler. Could you repeat that question? 

Chairman IsSA. In other words, when they approached you and 
said, we found this vulnerability, do you believe at that time they 
provided you with a sample of what they had found or all of it so 
that you could figure out the source? 

Mr. Roesler. Thank you. Chairman. That’s a very good question. 

They produced one document, what I believe to be — it is my opin- 
ion, but that they had more than the one that they described to us 
that they had at the time. 

Chairman IsSA. And I’ll go to the ranking member in just a sec- 
ond. 

The reason I want to do that is Ms. Duckworth’s two different 
documents. Since our data that’s been found in discovery shows 
that Tiversa did turn over to the FTC the documents, or that we 
have a list with your name and so on on it, it appears as though 
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what FTC brought you, which was a different document, was also 
from the same source of Tiversa. 

And, Ms. Duckworth, the reason — and I appreciate that you’re 
talking in terms of looking at Tiversa and so on — is, as far as we 
can tell, the only taker of this personal identifiable information 
that we know for sure reached into his systems on his network and 
pulled out files was Tiversa, who reached in, pulled them out, and 
turned them over to the FTC. That’s the part that we know, is that 
at least one company found the vulnerability, took the information, 
gave it at a minimum to the FTC. And there is some question by 
the committee as to how the law firm got that same list and pro- 
duced a class action, a law firm in the same city. 

And that’s, I think, what the gentlelady is really looking at, is 
this doesn’t look good. And the effects on Open Door were dev- 
astating. 

Ms. Duckworth. Well, I would agree with the chairman that the 
effects on Open Door was devastating, but I don’t agree that they 
reached into their network. Open Door has determined that there 
was no breach of their network. And, in fact, the data breach came 
from a stolen laptop. So if Tiversa got this information, they got it 
from someone else who uploaded the information from a stolen 
laptop, 2 years prior, to the Internet. 

It was not a breach of their network. They did a thorough search 
of their network. And, in fact, Tiversa is getting this information 
that someone else, presumably the thief who broke into their facili- 
ties and stole their laptop or someone that got that information off 
the laptop, uploaded. It’s two different mechanisms 

Chairman ISSA. And I share with the gentlelady very much 
versions of that possibility. That laptop that was stolen could’ve 
had LimeWire added to it. It could’ve been put up on the thieves’ 
Internet site, and Tiversa could have found it out on the Internet. 
The interesting thing was that Tiversa did not go to the laptop or 
to some other posting; they actually went to this company and said, 
we found the vulnerability on your site. 

And that’s what is so perplexing, is they didn’t say, we found this 
information in the Internet. They went to Open Door and said, we 
found your vulnerability and we offer you services for your vulner- 
ability. Now, my understanding is Tiversa also will talk about help- 
ing cleanse lost data, clean up what’s been out there on the Inter- 
net. There’s a lot of services people talk about. 

But it is confusing that, in fact, this data, we know for sure, got 
into Tiversa’s hands. And in our discovery, we do not yet know, did 
they really get it off of your Web site at Open Door? Did they get 
it off the stolen laptop? 

One thing we’re convinced about is that they may very well have 
never gotten it, seen it somewhere in the Internet, except on a vul- 
nerability from a peer-to-peer. And, in fact, it may never have been 
made available so as to harm the 180-plus AIDS patients that in 
some measure felt offended and served a lawsuit. 

Ms. Duckworth. I would have to disagree with one portion of 
that, Mr. Chairman. I share your concern with Tiversa’s very pred- 
atory practices, and I think we should look more into it and I 
would love to have them here. But I think, in this case, Tiversa 
said they found this data on a peer-to-peer network, not on Open 
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Door’s network. They found it on a peer-to-peer network. That’s 
what they told Open Door, “We found it on a peer-to-peer network.” 

Open Door then went in and looked at their peer-to-peer network 
and saw and confirmed that it had not heen breached and that 
there was no vulnerability in their peer-to-peer network. Just be- 
cause Tiversa found it on a peer-to-peer network does not mean 
that that peer-to-peer network belonged to Open Door. Someone 
else uploaded it from, likelihood, that stolen laptop to a different 
network. 

So I just want to make sure that Tiversa is — they could possibly 
be trolling the Internet for this data on various peer-to-peer net- 
works, not necessarily Open Secret’s, found it, and then tried to get 
them to purchase services. So it’s two different things. And I just 
want to make sure that this is — the things that Open Door has suf- 
fered has been because of Tiversa and Tiversa’s actions with the 
law firm. 

And, in fact, as far as the FTC is concerned, they sent them a 
note saying, there’s this form out there — there’s this file out there, 
you need to take a look at it. And they’ve not prosecuted, they’ve 
done nothing else. Really, they’ve been the victims of a class action 
lawsuit that was initiated by Tiversa after they found a document 
on a separate peer-to-peer network that was not the one that was 
Open Secret’s — I mean. Open Door’s. 

Chairman ISSA. You may very well be right. And I think you’re 
getting a nod from Open Door. 

But I think the gentlelady has made the exact point that I hope 
we can all come together on, which is we have a whistleblower who 
wants to give us detailed information directly related to each of 
these events with actual recorded hard disk data and only asked 
that his involvement and his testimony as to how he was involved 
in this at Tiversa not lead to his prosecution. And that is all that, 
in fact, when you see the proffer, if you will please see it, video 
proffer, you’re going to see, is a demonstration specifically of that. 
And it does give us a fact witness, however flawed in any other 
way, a fact witness who will make specific allegations as to par- 
ticular companies and where their data was or wasn’t; additionally, 
and for me as a former ranking member and member of this com- 
mittee, is also prepared to testify about evidence that was pre- 
sented to this committee under oath. And that’s why we have 
sought to have this witness. 

Today’s hearing deals with what we know and what happened to 
these individuals and with some of the pitfalls of, does the FTC, 
for example, in the case of Open Door, did they get second corrobo- 
ration or did they send that letter in your case, and a lawsuit in 
your case, based on a single source that may or may not have been 
accurate? 

And, to a certain extent, I know we’re all getting mired in Sec- 
tion 5 authority. This is more than Section 5 authority. It’s about 
whether an agency, even if it has the authority, what are the safe- 
guards before they file a lawsuit? What are the safeguards to make 
sure that the allegations are independently corroborated? Because 
cybersecurity is, in fact, as the gentlelady knows, it’s not a hard 
science where you can be sure. And if somebody says this hap- 
pened, making sure it happened is important. 
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So this is a broad subject. Cybersecurity is a core element of our 
oversight, not just here but throughout government. And it’s one of 
the reasons I thought bringing up the whole question of how do we 
move cybersecurity positively — because, Mr. Hartzog, I think you 
would agree, and, Mr. Stegmaier, I think you would agree, that to 
the extent the FTC has authority, it’s in order to protect against 
unfair practices, that’s their basic — but, in fact, to move us into 
greater security and reliability of people’s information when it’s 
held by third parties. And that goes to the core of cybersecurity in 
and out of government. 

So my view was this hearing, separate from the other discussion 
that I hope to have with the whistleblower, this hearing was worth- 
while not because there’s an ongoing investigation or case, Mr. 
Daugherty, and not because of what you’ve suffered alone, but be- 
cause you’re helping America understand this is complex, we have 
to make sure that allegations are correct, and we have to make 
sure that if there’s a bad actor basically selling services in an un- 
ethical way that we hold them accountable. 

And that’s why I’m so interested in your line of questioning and 
I support it and I appreciate it. 

Ms. Duckworth. Thank you, Mr. Chairman. 

Again, I don’t think the FTC filed a lawsuit against Mr. Roesler, 
just warned him that the file was out there. But I agree with you 
that I would like to know more about this process, so it would be 
great if we could have the FTC here in testimony. 

Chairman IssA. And we do intend to. What we’re asking is that 
they answer our questions as to some of this corroboration and so 
on. We expect to ask both Tiversa and the FTC. 

One of the challenges — and I hope the ranking member will 
chime in on this, too. Mr. Connolly’s statement about an ongoing 
lawsuit means that we have to think about how and when we bring 
the FTC in so that we not put them here specifically talking about 
a lawsuit that is ongoing. So I want to be a little careful on that. 
We are working with the IG. And the FTC’s IG is available to come 
in and brief your office, because she has a separate investigation 
that we’re respecting, her ongoing investigation. 

Mr. Cummings? 

Mr. Cummings. Thank you. 

Mr. Chairman, I want to just go back to something you just said. 

And I want to direct this to you, Mr. Hartzog. When the chair- 
man — and I think when you boil a lot of this down, this issue of 
independent corroboration and trying to be fair — and I think that’s 
what the chairman is saying. He’s not — I think he’s saying that, 
you know, there may be appropriate times, but trying to have a 
sense of fairness with it all. Because these gentlemen, I think, 
would say that they feel that they have been treated unfairly. 

So can you talk about, I mean, how that would work and how 
other agencies deal with that? Do you understand what I’m saying? 

Mr. Hartzog. Sure. Sure. So it’s difficult for me to speculate on 
the way that other agencies deal with that. But I will say that it’s 
important to remember that when the FTC gets information about 
a potential breach or a vulnerability, that’s just the very beginning 
of the inquiry, right? So the FTC doesn’t police data breaches; the 
FTC polices unreasonable data-security practices. 



163 


Now, a breach can be evidence of a data-security practice, but 
that’s just the starting point, right? So if you look at the com- 
plaints, the complaints actually have kind of a litany of data-secu- 
rity failures, so failure to have a training program and failure to 
implement administrative and technical and physical safeguards. 
And all of these things are things that are incumbent upon the 
FTC to actually prove if they allege them in the complaint. 

And so I think that we want to be careful not to assume that just 
because the FTC has been notified of a breach, that that imme- 
diately means that the company that suffered the breach is liable, 
right? So the FTC is — it’s on the FTC to fill that out, right, to say, 
well, what actually were the — were there unreasonable data-secu- 
rity practices that allowed this breach to happen? Or was this a 
breach that was going to happen regardless of whether there were 
reasonable data-security practices? 

And that, to me, is really where the FTC, you know, starts doing 
its real investigative work, in that, you know, the notification of a 
breach is just kind of the first tip that leads to an investigation. 

Chairman ISSA. Thank you. 

Mr. Clay? 

Mr. Clay. Thank you, Mr. Chairman, and thank you for con- 
ducting this hearing. 

Some critics of the FTC’s approach to data protection have ar- 
gued that the FTC has not provided adequate notice of the guide- 
lines a company must follow to avoid an enforcement action. For 
example, in Federal litigation in New Jersey, Wyndham Hotels ar- 
gued, “If the FTC can regulate data security at all, it must do so 
through published rules that give regulated parties fair notice of 
what the law requires.” 

Professor Hartzog, do you agree that published rules are required 
to give organizations notice of the data-security standards that are 
required? 

Mr. Hartzog. I don’t think that that’s necessarily accurate. I 
think that administrative agencies like the FTC actually have the 
choice of publishing rules or proceeding in a case-by-case basis and 
establishing the contours of the law in that way. 

And, in this instance, when you have a complex and ever-evolv- 
ing problem like data security, which is really more of a process 
than a set of rules, then the FTC has chosen, and I think probably 
wisely, to proceed in a case-by-case basis in order to incrementally 
establish rules and be adaptive to the ever-changing needs of con- 
sumers to have their data protected. 

Mr. Clay. Well, how can a company know when it’s going to run 
afoul of the data-security requirements if they don’t have notice of 
the rules? 

Mr. Hartzog. I would actually argue that they do have notice of 
what’s required. So there are several different things that you can 
look to. 'V^en you have a reasonableness approach, the FTC isn’t 
the only agency, the only regulatory scheme that uses a reasonable- 
ness approach. So States do, and there are other statutes that take 
advantage of it. 

And you can look to basic things, right? So even in the statement 
that the FTC issued on its 50th data-security complaint let it know 
that there are really five basic things that you have to do. You 
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know, you have to identify your assets and risks; you have to mini- 
mize data; you have to implement safeguards; and you have to 
have a breach response plan. And those are the basic components. 

And the way that you then fill that in is you look to lots of dif- 
ferent variables, like the size of the company and the sensitivity of 
the data and the amount of data that you’re collecting and the re- 
sources that you have available, which of course vary wildly accord- 
ing to company. 

And so it actually, I think, would be a mistake to try to put those 
into rules because they inevitably would be either overinclusive or 
overprotective or underinclusive depending upon the context. And 
so, really, the only way forward, in my mind, is to proceed upon 
a reasonableness basis here. 

Mr. Clay. Okay. 

Other critics of the FTC Section 5 enforcement authority have ar- 
gued that the FTC should establish bright-line data-security stand- 
ards in advance of any enforcement measures delineating exactly 
what companies must do to comply with this data-security obliga- 
tion. 

Professor Hartzog, in your recent article on the FTC and data 
protection, you address this point, writing, “Many critics want a 
checklist of data-security practices that will provide a safe harbor 
in all contexts. Yet data security changes too quickly and is far too 
dependent upon context to be reduced to a one-size-fits-all check- 
list.” 

Professor, can you elaborate briefly on what you mean here? How 
is data security changing in ways that make formal rulemaking im- 
practical? 

Mr. Hartzog. Sure. So I’ve spoken with a lot of data-security 
professionals in doing my research, and they almost uniformly tell 
me that you can either have a one-size-fits-all checklist that lists 
the 17 things that you’re supposed to do or you can have good data 
security, but you can’t have both. 

And the reason why that is is that data security changes so 
much, and it wouldn’t make much sense to say that small busi- 
nesses have to follow the same data-security protocols that Target 
and Amazon have to follow. And so it actually is very dependent 
upon all these variables. 

And to the extent that we’ve heard testimony today saying that, 
you know, oh, well, we have guidance from HIPAA and we have 
guidance from Gramm-Leach-Bliley, I would ask everyone actually 
to look at the complaints filed by the FTC. They’re very similar to 
the requirements in HIPAA and Gramm-Leach-Bliley. And so, to 
the extent that everyone is kind of fine with the way that those 
work, I think you can see similar kinds of requirements in the com- 
plaints filed by the FTC. 

Mr. Clay. And you also wrote that flexibility to adapt to new sit- 
uations, the FTC can wait until a consensus around standards de- 
velops and then codify them as this happens. 

Mr. Hartzog. That’s correct. So one of the problems with formal 
rulemaking is that if you make it too technologically specific, then 
by the time the rule actually gets passed, it’s become outdated and 
you’ve got to start the whole process all over again, and it becomes 
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this never-ending series of trying to update standards that have be- 
come outdated. 

We’ve actually seen this in other areas of the law where we’ve 
tried to list out technological specifications, and we now get rou- 
tinely frustrated, you know, that they’re outdated because it 
changes so quickly. 

Mr. Clay. Thank you for your responses. 

Mr. Chairman, my time has expired. 

Chairman ISSA. Thank you, Mr. Clay. 

Well, we’re going to come to a close, which is probably blessed 
for all of you. But I have just a final set of questions, and I’m going 
to go to each of you. 

Mr. Hartzog, I hear everything you’re saying, but if I’m to believe 
what you’re saying, the complaints and the consent decrees are 
supposed to be my guidance as to what I have to do. I have to find 
within the complaints a company and a set of information that’s 
similar to mine to figure out what I should or shouldn’t do. 

But even then, the consent decree says, we’re going to keep an 
eye on you for 20 years. So, 2 years later, 3 years later, what 
they’re doing behind closed doors in their oversight of that one 
company, I don’t have visibility on that. 

So how am I supposed to know what the law is? 

Mr. Hartzog. So I would actually say, instead of looking kind of 
to the consent decree, you look to the complaints. And the com- 
plaints actually point to industry standards, right? And there are 
various, actually, standards you could look to. So you could look 
to 

Chairman IssA. But none of those standards are safe havens; is 
that right? 

Mr. Hartzog. Well, no, not explicit safe havens, but I think the 
understanding is 

Chairman IssA. But wait a second. If I go 34 miles an hour in 
a 35-mile-an-hour zone. I’m not going to get a speeding ticket. Is 
that right? 

Mr. Hartzog. I’m really glad you brought that up. So Mr. 
Stegmaier brought up the whole speeding-limit thing, as far as how 
that’s adequate notice. I would also add that if you look at speeding 
rules, in inclement rules the speeding rules actually change; they 
say drive reasonably under the circumstances. And yet we don’t 
have a problem with that speeding law, which is, of course, based 
on a reasonableness standard. 

Chairman IssA. That happens to be an interesting law, because 
it only gets enforced when you have an accident, and then they will 
sue you. They will claim that you were driving too fast for condi- 
tions. 

I appreciate the fact that you noted, then, that when the “fit hits 
the shan,” when things go bad — I worked on that for a long time; 
I want you to appreciate that — then they will write you a ticket, 
when even when you drove the speed limit something happened. 
But there has to be a bad occurrence for that to be enforced. So 
I think we’re all agreeing it’s a good example. 

But cybersecurity is a real question. I don’t know everything 
about LabMD. I don’t know everything about Open Door. But I will 
tell you that people right now, whether they have a server in a 
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closet and they’re buying the latest software from Microsoft and 
other companies or they’re up on Amazon or somebody else’s vir- 
tual network, they don’t know what the standard is. 

I know one thing. Target and the U.S. Government at 
HealthCare.gov spent millions of dollars on security, hired count- 
less experts in and out of house, and they were obviously data fail- 
ures. So it’s an inexact science. 

The Federal Trade Commission has a mandate to protect us as 
consumers from, effectively, willful or reckless behavior. LimeWire 
participated in reckless behavior in the switches, how they had 
them turned down, what the default was, perhaps even on the 
peer-to-peer. But, certainly, because they made you most vulner- 
able, unless you knew a lot about the software and installation, 
they created a vulnerability which, quite frankly, was intentional. 

And in a hearing before this committee, we pretty much got that, 
that they were — they thought it was great to open wide, when, in 
fact, they were implying it was small. To me, that’s what the Fed- 
eral Trade Commission was supposed to go after. They just weren’t, 
apparently, an easy enough target. 

So as we look at, not Section 5 authority — ^because I believe that 
Section 5 authority intended on deceptive and unfair practices in 
the Internet world, in the cyber world, being an authority; I think 
they did. But I think they wanted us to go after LimeWire, after 
people who claimed things. 

And, quite frankly, I think maybe they want to go after a com- 
pany like Tiversa, who goes around and trolls all over the Internet, 
using expertise that some might say was similar to the CIA — who, 
by the way, paid Tiversa at one point. And they go out and they 
find all these vulnerabilities, and then they turn them into busi- 
ness practices. And, in fact, every indication is they not only found 
the vulnerabilities but they stole information off those products. 
They stole them after the CEO of that company testified that these 
people were victims. Mr. Boback testified before this committee 
that people whose employees loaded LimeWire were victims, that, 
in fact, the person loading LimeWire was a victim because he or 
she didn’t understand that they were creating the vulnerability. 

So the very person who said you’re a victim of this peer-to-peer 
software before this committee then used that vulnerability to pull 
data, to steal data. And to the extent they stole data only so they 
could inform the company and show them that it happened, I 
might say that it wasn’t wrong. But to the extent that it was $475 
an hour, that becomes a little more questionable. To the extent 
that they then go to the FTC if you don’t say yes, as though they 
have a civic obligation. 

Our discovery is not finished, but at this point it appears as 
though if you paid Tiversa, you never would’ve gotten that letter 
from the FTC. Mr. Daugherty, if you’d paid Tiversa, you never 
would’ve had these years of agony. And for just a few hundred 
thousand dollars, you probably would still have a going concern in- 
stead of litigation ongoing. 

Now, that doesn’t go to the merit of the letter, it doesn’t go to 
the merit of the suit. It goes to the whole question of the practice. 
We haven’t passed a law that says, if you go out and surf the Inter- 
net, look for vulnerabilities and take things off of people’s private 
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sites, including HIPAA-related material, that, in fact, you’re a 
criminal. Maybe we should. And that’s within the jurisdiction of 
Energy and Commerce and other committees, and we take it seri- 
ously. And it’s one of the reasons that this hearing is important. 

Now, I have a closing very self-serving question, mostly for, if 
you will, my two company victims. Things have been said here and 
allegations made and questions about Tiversa as a company. I don’t 
normally investigate companies. It’s not the practice of this com- 
mittee. 

But given — and I’m going to leave Mr. Daugherty, because you’re 
in a lawsuit. I’m just going to leave you out of it for a moment. 

But, Mr. Roesler, your case is completely finished; is that cor- 
rect? 

Mr. Roesler. It is. 

Chairman ISSA. And so you’re done, you have no financial inter- 
est in anything that we look into; isn’t that correct? 

Mr. Roesler. That’s correct. 

Chairman IssA. So do you believe it’s reasonable for this com- 
mittee to find out what Tiversa took off of your Web site or your 
site or some other site, where they got that information that they 
approached you with an offer to sell you services? 

Mr. Roesler. I believe it’s worth the while if there’s a pattern, 
that I am not the only victim, then it’s worth the while. 

Chairman IsSA. If we thought you were the only one, we wouldn’t 
be here. 

Do you believe it’s important for us to verify the relationship be- 
tween Tiversa and the various companies — many of whom we have 
lists of, so we know you’re not the only one — that they turned over 
to the FTC based on one question? The ones that they offered serv- 
ices to that bought the services where they never turned over to 
the FTC, but ones who declined were often turned over to the FTC. 
Is that a question you think we should find out the answer to? 

Mr. Roesler. I believe that would be a very good question. 

Chairman IssA. And, lastly, the law firm that sued you in a class 
action, do you believe it’s fair for us to find out whether there was 
a direct connection between these two Pittsburgh-based companies 
and data taken from somewhere yet unknown, provided to the law 
firm, and the law firm then going out and reaching out to your pa- 
tients and clients? Do you believe we should ask those questions 
as part of a broader investigation to find out whether, in fact, that 
was coincidence or, in fact, an attack on your company because you 
didn’t buy their services? 

Mr. Roesler. Mr. Chairman, one of the reasons why I’m glad to 
be here today is the hope that possibly that question could be an- 
swered. 

Chairman IsSA. Well, I’m going to recognize Mr. Cummings. 

These are some of the areas in which I believe that somebody 
should investigate. For now, the somebody is us. Our hope is that 
the FTC IG, who has some authority but not as much as we do, 
oddly enough, to get information from nongovernment entities, and 
perhaps the Justice Department and others will look into it. 

But until we find somebody else, at least for the foreseeable fu- 
ture, my intent is to continue asking those questions. We will in- 
vite Tiversa and others in. As I said at the opening, I would hope 
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to hear — that all the Members would hear from the whistleblower, 
not because his accusations are alone of anything other than the 
basis under which we began this, but because when you get one set 
of allegations and you go out to corroborate them and you have 
those as a first statement, then when you find the second corrobo- 
ration, normally it allows you to show that it is true. I want to get 
to the truth. I know Mr. Cummings does. 

So for all of you. Section 5 authority — it’s not our job to second- 
guess what Congress gave them. They gave them the authority. 
Section 5 authority, it is for us to ask, are they acting in a way 
that allows unfair actors to be held accountable and others to know 
how to meet their obligation? You have our commitment, we intend 
to continue and do it. 

As to unfair practices practiced in the cyber world and as to peo- 
ple’s vulnerabilities and how they correct it, this is an ongoing part 
of this investigation. The questions I asked you, I said they were 
self-serving. It’s the intent of this committee to continue for as long 
as it takes to feel that all parties are satisfied that we asked all 
the right questions and got as many answers as we could. 

Mr. Cummings? 

Mr. Cummings. Thank you very much, Mr. Chairman. 

When I — first of all, I want to thank the witnesses for being 
here. You know, sometimes I think witnesses wonder whether they 
have an impact. And I can tell you that all of you were excellent. 
And I really appreciate what you said, and I think the Members 
listened to you very carefully. 

When I first read the title of the hearing, I was very concerned 
with the question of whether FTC has the authority to pursue 
data-security enforcement actions under its current Section 5 au- 
thority. And I think, based upon what the chairman just said, I 
think we all agree that they do. And I agree with him, the question 
is how they go about doing that. 

And I think that there are moments that present themselves in 
our lives where we have to stop for a moment and at least take a 
look at what we’re doing and how we’re doing it. 

Mr. Roesler, Mr. Daugherty, as I said before, if you’ve been treat- 
ed unfairly — you know, and both of you are dealing — your busi- 
nesses dealt with health issues, right? Health. And health is a big, 
big deal for me, personally, and I’m sure it’s a big deal for most 
of us. But I want us to be very careful. 

You know, government does have a role to play. It really does. 
When people’s information is out there, their lives can be turned 
upside down. I’ve had people come to me as a Congressman, talk 
about their identity being stolen and taking years and years to get 
it back. We have to have some folks making sure that we protect 
as best we can against that. 

And I think that there’s always a balance. You know, there’s got 
to be a balance so that we don’t just run over people like you, Mr. 
Roesler, and you, Mr. Daugherty, but, at the same time, make sure 
that folks who are aiming to do these kinds of things know that 
we’re not going to stand for it and that somebody’s going to be look- 
ing and somebody’s going to bring them to justice. 
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So that’s where, you know — that’s — you know, if you listen to ev- 
erything that has been said here today, I think that’s what it pret- 
ty much boils down to. How do we strike that balance? 

And so I thank you, Mr. Chairman. I think it was a good hear- 
ing. I look forward to hearing from the FTC. And you’re right, try- 
ing to hear from the FTC is going to be kind of tricky, because it 
seems as if — I mean, if you could limit the questions to their gen- 
eral procedures without getting into the case, I think that might 
be helpful, but it’s going to be tricky. But I think we do need to 
hear from them as to how they go about this. 

But, again, this is a critical moment. And I think we need to try 
to take advantage of it so that, if something needs to be corrected, 
that we correct it. I think anybody wants to have some idea of 
what they’re being accused of I mean, was there ways to get the 
information out in a better way? You know, this is what you need 
to look out for. It’s just like when you’re riding down the road and 
it says, you know, 25 miles an hour, radar enforced by photos. You 
know, I mean, at some point, it’s nice to have a little notice. And 
all of us know after we’ve gotten a ticket or two that we slow down. 
And we know those areas by heart; we just know them. 

And so, again, I thank you all for your testimony. I really, really 
appreciate it. 

And thank you. 

Chairman ISSA. Thank you. 

I’ll leave the record open for 7 days, not only for Members to put 
in opening statements and extraneous material, but for the wit- 
nesses to provide any additional information they deem appropriate 
as a result of the questions here. 

Chairman IsSA. I want to thank you for your testimony. I want 
to thank you for making this a worthwhile hearing. 

And we stand adjourned. 

[Whereupon, at 12:24 p.m., the committee was adjourned.] 
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